From 4f13279cf5337e94dee0865cce2619f532d9e761 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Thu, 13 May 2021 11:37:35 -0400 Subject: [PATCH] [Filebeat] Sort array fields in generated data (#25320) - sort arrays by using string representation of values - update generated data (cherry picked from commit 52f226530db54fc3244d1f00e50ce4ec47e6b7fb) # Conflicts: # x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json # x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json # x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json # x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json # x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json # x-pack/filebeat/module/iptables/log/test/geo.log-expected.json # x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json # x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json # x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json # x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json # x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json # x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json # x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json # x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json # x-pack/filebeat/module/panw/panos/test/userid.log-expected.json # x-pack/filebeat/module/snort/log/test/generated.log-expected.json # x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json # x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json # x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json --- CHANGELOG-developer.next.asciidoc | 1 + .../test/audit-cent7-node.log-expected.json | 8 +- .../log/test/audit-rhel6.log-expected.json | 2 +- .../auditd/log/test/test.log-expected.json | 2 +- .../auditd/log/test/useradd.log-expected.json | 20 +- .../audit/test/test-access.log-expected.json | 8 +- .../test/test-audit-761.log-expected.json | 4 +- .../gc/test/gc.log-expected.json | 64 +- .../server/test/test-json.log-expected.json | 120 +- .../log/test/default.log-expected.json | 4 +- .../test/test-iis-7.2.log-expected.json | 40 +- .../test/test-iis-7.5.log-expected.json | 24 +- .../test/test-ipv6zone.log-expected.json | 4 +- ...t-x-forward-for-extended.log-expected.json | 48 +- .../test/test-x-forward-for.log-expected.json | 72 +- .../iis/access/test/test.log-expected.json | 32 +- .../test/iis_error_url.log-expected.json | 32 +- .../error/test/ipv6_zone_id.log-expected.json | 4 +- .../iis/error/test/test.log-expected.json | 28 +- .../kibana/log/test/log.624.log-expected.json | 140 +- .../test/log.verbose.624.log-expected.json | 376 +- .../kibana/log/test/test.log-expected.json | 8 +- .../mongodb-debian-3.2.11.log-expected.json | 4 +- .../test/mariadb-10.4.8.log-expected.json | 4 +- .../mysql-ubuntu-5.5.53.log-expected.json | 8 +- .../test/test-with-host.log-expected.json | 20 +- .../nginx/access/test/test.log-expected.json | 12 +- .../test/test.log-expected.json | 16 +- .../pensando/dfw/test/test.log-expected.json | 12 +- .../santa/log/test/santa.log-expected.json | 36 +- .../test/auth-ubuntu1204.log-expected.json | 196 +- .../system/auth/test/test.log-expected.json | 20 +- .../auth/test/timestamp.log-expected.json | 4 +- filebeat/tests/system/test_modules.py | 3 + .../add-user-to-group-json.log-expected.json | 4 +- .../test/assume-role-json.log-expected.json | 12 +- .../change-password-json.log-expected.json | 8 +- .../cloudtrail-digest-json.log-expected.json | 80 +- .../create-access-key-json.log-expected.json | 4 +- .../test/create-group-json.log-expected.json | 8 +- .../test/create-user-json.log-expected.json | 4 +- ...-virtual-mfa-device-json.log-expected.json | 4 +- ...activate-mfa-device-json.log-expected.json | 4 +- .../delete-access-key-json.log-expected.json | 4 +- .../test/delete-group-json.log-expected.json | 8 +- ...lete-ssh-public-key-json.log-expected.json | 4 +- .../test/delete-user-json.log-expected.json | 4 +- ...-virtual-mfa-device-json.log-expected.json | 4 +- .../enable-mfa-device-json.log-expected.json | 4 +- ...ove-user-from-group-json.log-expected.json | 4 +- .../update-access-key-json.log-expected.json | 4 +- .../test/update-group-json.log-expected.json | 8 +- ...pdate-login-profile-json.log-expected.json | 4 +- ...date-ssh-public-key-json.log-expected.json | 8 +- .../test/update-user-json.log-expected.json | 4 +- .../accept-reject-traffic.log-expected.json | 12 +- .../test/custom-nat-gateway.log-expected.json | 4 +- .../test/tcp-flag-sequence.log-expected.json | 12 +- .../test/signinlogs.log-expected.json | 215 ++ .../test/generated.log-expected.json | 12 +- .../module/cef/log/test/cef.log-expected.json | 4 +- .../cef/log/test/checkpoint.log-expected.json | 4 +- .../log/test/fp-ngfw-smc.log-expected.json | 8 +- .../test/checkpoint.log-expected.json | 348 +- .../test/cisco_amp1.ndjson.log-expected.json | 228 +- .../test/cisco_amp2.ndjson.log-expected.json | 304 +- .../test/cisco_amp3.ndjson.log-expected.json | 268 +- .../test/cisco_amp4.ndjson.log-expected.json | 480 +-- .../test/cisco_amp5.ndjson.log-expected.json | 298 +- .../test/cisco_amp6.ndjson.log-expected.json | 236 +- .../test/cisco_amp7.ndjson.log-expected.json | 238 +- .../additional_messages.log-expected.json | 236 +- .../cisco/asa/test/asa-fix.log-expected.json | 48 +- .../cisco/asa/test/asa.log-expected.json | 128 +- .../cisco/asa/test/filtered.log-expected.json | 4 +- .../asa/test/hostnames.log-expected.json | 4 +- .../cisco/asa/test/not-ip.log-expected.json | 16 +- .../cisco/asa/test/sample.log-expected.json | 284 +- .../cisco/ftd/test/asa-fix.log-expected.json | 16 +- .../cisco/ftd/test/asa.log-expected.json | 128 +- .../cisco/ftd/test/dns.log-expected.json | 168 +- .../ftd/test/intrusion.log-expected.json | 24 +- .../ftd/test/no-type-id.log-expected.json | 8 +- .../cisco/ftd/test/not-ip.log-expected.json | 16 +- .../cisco/ftd/test/sample.log-expected.json | 280 +- .../security-connection.log-expected.json | 88 +- .../security-malware-site.log-expected.json | 8 +- .../test/cisco-ios-syslog.log-expected.json | 32 +- .../meraki/test/generated.log-expected.json | 96 +- ...brella-cloudfirewalllogs.log-expected.json | 8 +- .../test/umbrella-dnslogs.log-expected.json | 8 +- .../test/umbrella-proxylogs.log-expected.json | 8 +- .../log/test/coredns-json.log-expected.json | 24 +- .../log/test/coredns.log-expected.json | 16 +- .../falcon-audit-events.log-expected.json | 36 +- .../test/falcon-sample.log-expected.json | 40 +- .../corepas/test/generated.log-expected.json | 414 ++- .../105_add_file_category.log-expected.json | 4 +- ...106_update_file_category.log-expected.json | 4 +- ...107_delete_file_category.log-expected.json | 4 +- .../test/124_rename_file.log-expected.json | 4 +- .../125_rename_file_cont.log-expected.json | 4 +- ...130_cpm_disable_password.log-expected.json | 8 +- .../audit/test/180_add_user.log-expected.json | 48 +- ..._full_gateway_connection.log-expected.json | 52 +- .../24_cpm_change_password.log-expected.json | 16 +- .../test/294_store_password.log-expected.json | 8 +- .../295_retrieve_password.log-expected.json | 64 +- .../test/300_psm_connect.log-expected.json | 40 +- .../test/302_psm_disconnect.log-expected.json | 36 +- .../test/308_use_password.log-expected.json | 68 +- ...309_undefined_user_logon.log-expected.json | 12 +- ...1_cpm_reconcile_password.log-expected.json | 8 +- .../test/33_update_owner.log-expected.json | 4 +- .../test/359_sql_command.log-expected.json | 40 +- .../361_keystroke_logging.log-expected.json | 24 +- ...5_blservice_audit_record.log-expected.json | 20 +- ...m_verify_password_failed.log-expected.json | 24 +- .../test/411_window_title.log-expected.json | 8 +- .../412_keystroke_logging.log-expected.json | 4 +- .../test/427_store_ssh_key.log-expected.json | 4 +- .../428_retrieve_ssh_key.log-expected.json | 24 +- .../4_user_authentication.log-expected.json | 4 +- .../test/50_store_file.log-expected.json | 4 +- .../test/52_delete_file.log-expected.json | 28 +- ...m_change_password_failed.log-expected.json | 4 +- ...econcile_password_failed.log-expected.json | 56 +- .../audit/test/7_logon.log-expected.json | 16 +- .../audit/test/8_logoff.log-expected.json | 4 +- .../98_open_file_write_only.log-expected.json | 4 +- .../log/test/envoy.log-expected.json | 4 +- .../bigipafm/test/generated.log-expected.json | 546 ++- .../test/generated.log-expected.json | 364 +- .../firewall/test/fortinet.log-expected.json | 68 +- .../test/generated.log-expected.json | 20 +- .../test/generated.log-expected.json | 541 ++- .../gcp/firewall/test/rare.log-expected.json | 8 +- .../gcp/firewall/test/test.log-expected.json | 92 +- ...pc-flow-log-entries.json.log-expected.json | 200 +- ...in-application-test.json.log-expected.json | 28 +- ...admin-calendar-test.json.log-expected.json | 8 +- .../admin-chat-test.json.log-expected.json | 8 +- ...admin-chromeos-test.json.log-expected.json | 32 +- ...admin-contacts-test.json.log-expected.json | 4 +- .../admin-docs-test.json.log-expected.json | 4 +- .../admin-domain-test.json.log-expected.json | 72 +- .../admin-gmail-test.json.log-expected.json | 16 +- .../admin-groups-test.json.log-expected.json | 48 +- .../admin-mobile-test.json.log-expected.json | 44 +- ...admin-security-test.json.log-expected.json | 60 +- .../admin-sites-test.json.log-expected.json | 8 +- .../admin-user-test.json.log-expected.json | 280 +- .../test/drive-test.json.log-expected.json | 44 +- .../test/groups-test.json.log-expected.json | 96 +- .../test/login-test.json.log-expected.json | 20 +- ...in-application-test.json.log-expected.json | 28 +- ...admin-calendar-test.json.log-expected.json | 8 +- ...ite-admin-chat-test.json.log-expected.json | 8 +- ...admin-chromeos-test.json.log-expected.json | 32 +- ...admin-contacts-test.json.log-expected.json | 4 +- ...ite-admin-docs-test.json.log-expected.json | 4 +- ...e-admin-domain-test.json.log-expected.json | 72 +- ...te-admin-gmail-test.json.log-expected.json | 16 +- ...e-admin-groups-test.json.log-expected.json | 48 +- ...e-admin-mobile-test.json.log-expected.json | 44 +- ...admin-security-test.json.log-expected.json | 60 +- ...te-admin-sites-test.json.log-expected.json | 8 +- ...ite-admin-user-test.json.log-expected.json | 280 +- .../gsuite-drive-test.json.log-expected.json | 44 +- .../gsuite-groups-test.json.log-expected.json | 96 +- .../gsuite-login-test.json.log-expected.json | 20 +- .../errorlog/test/AMQERR01.log-expected.json | 80 +- .../test/AMQERR01_QM2.log-expected.json | 408 +-- .../test/generated.log-expected.json | 855 +++-- .../nios/test/generated.log-expected.json | 404 +-- .../iptables/log/test/geo.log-expected.json | 12 +- .../iptables/log/test/icmp.log-expected.json | 8 +- .../log/test/iptables.log-expected.json | 120 +- .../iptables/log/test/ipv6.log-expected.json | 44 + .../log/test/ubiquiti.log-expected.json | 40 +- .../junos/test/generated.log-expected.json | 400 +-- .../test/generated.log-expected.json | 412 +-- .../juniper/srx/test/atp.log-expected.json | 36 +- .../juniper/srx/test/flow.log-expected.json | 262 +- .../juniper/srx/test/idp.log-expected.json | 108 +- .../juniper/srx/test/ids.log-expected.json | 160 +- .../srx/test/secintel.log-expected.json | 28 +- .../juniper/srx/test/utm.log-expected.json | 132 +- .../defender_atp-test.json.log-expected.json | 12 +- .../dhcp/test/generated.log-expected.json | 400 +-- ...fender-test-empty.ndjson.log-expected.json | 4 +- ...365_defender-test.ndjson.log-expected.json | 48 +- .../test/mysql_audit_test.log-expected.json | 30 +- .../test/generated.log-expected.json | 408 +-- .../test/08-azuread-users.log-expected.json | 340 +- .../audit/test/08-azuread.log-expected.json | 3028 ++++++++--------- .../test/13-dlp-exchange.log-expected.json | 36 +- .../15-azuread-sts-logon.log-expected.json | 788 ++--- .../audit/test/22-yammer.log-expected.json | 8 +- .../test/25-ms-teams-groups.log-expected.json | 108 +- .../audit/test/25-ms-teams.log-expected.json | 40 +- .../test/global_protect.log-expected.json | 308 ++ .../test/pan_inc_other.log-expected.json | 151 +- .../test/pan_inc_threat.log-expected.json | 1218 +++---- .../test/pan_inc_traffic.log-expected.json | 1891 ++++++---- .../pan_inc_traffic_ietf.log-expected.json | 1776 +++++----- .../panw/panos/test/threat.log-expected.json | 1056 +++--- .../panw/panos/test/traffic.log-expected.json | 1776 +++++----- .../panw/panos/test/userid.log-expected.json | 754 ++++ .../test/generated.log-expected.json | 400 +-- .../log/test/generated.log-expected.json | 453 +-- .../test/snyk_audit.ndjson.log-expected.json | 16 +- .../test/snyk_vulns.ndjson.log-expected.json | 590 ++-- .../firewall/test/general.log-expected.json | 84 +- .../firewall/test/generated.log-expected.json | 468 +-- .../utm/test/generated.log-expected.json | 459 +-- .../xg/test/anti-spam.log-expected.json | 76 +- .../xg/test/anti-virus.log-expected.json | 76 +- .../sophos/xg/test/atp.log-expected.json | 40 +- .../sophos/xg/test/cfilter.log-expected.json | 56 +- .../sophos/xg/test/event.log-expected.json | 100 +- .../sophos/xg/test/firewall.log-expected.json | 196 +- .../sophos/xg/test/idp.log-expected.json | 48 +- .../sophos/xg/test/sandbox.log-expected.json | 48 +- .../sophos/xg/test/waf.log-expected.json | 60 +- .../sophos/xg/test/wifi.log-expected.json | 8 +- .../squid/log/test/access1.log-expected.json | 680 ++-- .../log/test/generated.log-expected.json | 1284 +++---- .../eve/test/eve-6.0.log-expected.json | 8 +- .../eve/test/eve-alerts.log-expected.json | 88 +- .../eve/test/eve-dns-4.1.4.log-expected.json | 206 +- .../eve/test/eve-small.log-expected.json | 20 +- .../abusechmalware.ndjson.log-expected.json | 222 +- .../test/abusechurl.ndjson.log-expected.json | 556 +-- .../anomali_limo.ndjson.log-expected.json | 800 ++--- .../malwarebazaar.ndjson.log-expected.json | 94 +- .../test/misp_sample.ndjson.log-expected.json | 42 +- .../test/otx_sample.ndjson.log-expected.json | 320 +- .../log/test/generated.log-expected.json | 836 +++-- .../test/connection-json.log-expected.json | 24 +- .../test/dce_rpc-json.log-expected.json | 8 +- .../dhcp/test/dhcp-json.log-expected.json | 12 +- .../dnp3/test/dnp3-json.log-expected.json | 4 +- .../zeek/dns/test/dns-json.log-expected.json | 20 +- .../zeek/dpd/test/dpd-json.log-expected.json | 4 +- .../files/test/files-json.log-expected.json | 20 +- .../zeek/irc/test/irc-json.log-expected.json | 12 +- .../test/kerberos-json.log-expected.json | 8 +- .../mysql/test/mysql-json.log-expected.json | 4 +- .../notice/test/notice-json.log-expected.json | 12 +- .../ntlm/test/ntlm-json.log-expected.json | 8 +- .../zeek/ntp/test/ntp-json.log-expected.json | 8 +- .../zeek/pe/test/pe-json.log-expected.json | 6 +- .../radius/test/radius-json.log-expected.json | 4 +- .../zeek/rdp/test/rdp-json.log-expected.json | 4 +- .../zeek/rfb/test/rfb-json.log-expected.json | 4 +- .../zeek/sip/test/sip-json.log-expected.json | 14 +- .../test/smb_cmd-json.log-expected.json | 4 +- .../test/smb_files-json.log-expected.json | 12 +- .../test/smb_mapping-json.log-expected.json | 4 +- .../snmp/test/snmp-json.log-expected.json | 4 +- .../zeek/ssh/test/ssh-json.log-expected.json | 4 +- .../zeek/ssl/test/ssl-json.log-expected.json | 8 +- .../tunnel/test/tunnel-json.log-expected.json | 4 +- .../x509/test/x509-json.log-expected.json | 128 +- .../test/account.ndjson.log-expected.json | 36 +- .../chat_channel.ndjson.log-expected.json | 32 +- .../chat_message.ndjson.log-expected.json | 24 +- .../test/meeting.ndjson.log-expected.json | 88 +- .../test/phone.ndjson.log-expected.json | 64 +- .../test/recording.ndjson.log-expected.json | 112 +- .../test/user.ndjson.log-expected.json | 104 +- .../test/webinar.ndjson.log-expected.json | 120 +- .../test/zoomroom.ndjson.log-expected.json | 16 +- .../zia/test/generated.log-expected.json | 676 ++-- .../zscaler/zia/test/test.log-expected.json | 4 +- 276 files changed, 20915 insertions(+), 17140 deletions(-) create mode 100644 x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json create mode 100644 x-pack/filebeat/module/panw/panos/test/userid.log-expected.json diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index a471b4e2b18..a3156c6c212 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -105,3 +105,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Update Go version to 1.15.9. {pull}24442[24442] - Update Go version to 1.15.10. {pull}24606[24606] - Update Go version to 1.15.12. {pull}25629[25629] +- Add sorting to array fields for generated data files (*-generated.json) {pull}25320[25320] diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json index 8debfbba37f..b435807ebaa 100644 --- a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -45,8 +45,8 @@ "changed-audit-configuration" ], "event.category": [ - "process", - "configuration" + "configuration", + "process" ], "event.dataset": "auditd.log", "event.kind": "event", @@ -75,8 +75,8 @@ "changed-audit-configuration" ], "event.category": [ - "process", - "configuration" + "configuration", + "process" ], "event.dataset": "auditd.log", "event.kind": "event", diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index 215c0bf11f9..a5b4e8f9247 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -86,8 +86,8 @@ "input.type": "log", "log.offset": 373, "process.args": [ - "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", "-p", + "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", "202" ], "process.args_count": 3, diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 48caa4ae6c5..1fb5728827e 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -88,8 +88,8 @@ "input.type": "log", "log.offset": 536, "process.args": [ - "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", "-p", + "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", "202" ], "process.args_count": 3, diff --git a/filebeat/module/auditd/log/test/useradd.log-expected.json b/filebeat/module/auditd/log/test/useradd.log-expected.json index 3eb42fe0a86..d76ad1288ad 100644 --- a/filebeat/module/auditd/log/test/useradd.log-expected.json +++ b/filebeat/module/auditd/log/test/useradd.log-expected.json @@ -20,8 +20,8 @@ "event.original": "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "event.outcome": "success", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "log", "group.id": "1004", @@ -58,8 +58,8 @@ "event.original": "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "event.outcome": "success", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "log", "group.id": "1004", @@ -95,8 +95,8 @@ "event.original": "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "event.outcome": "success", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "log", "group.id": "1004", @@ -133,8 +133,8 @@ "event.original": "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "event.outcome": "success", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "log", "input.type": "log", @@ -207,8 +207,8 @@ "event.original": "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "event.outcome": "success", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "log", "input.type": "log", diff --git a/filebeat/module/elasticsearch/audit/test/test-access.log-expected.json b/filebeat/module/elasticsearch/audit/test/test-access.log-expected.json index b4d5927a264..31e3f3af043 100644 --- a/filebeat/module/elasticsearch/audit/test/test-access.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test-access.log-expected.json @@ -170,10 +170,10 @@ "elasticsearch.audit.action": "indices:data/read/search[free_context]", "elasticsearch.audit.event_type": "access_granted", "elasticsearch.audit.indices": [ - "foo-2019.01.04", "foo-2019.01.03", - "foo-2019.01.06", + "foo-2019.01.04", "foo-2019.01.05", + "foo-2019.01.06", "foo-2019.01.08", "servicelog-2019.01.07" ], @@ -182,9 +182,9 @@ "elasticsearch.audit.realm": "active_directory", "elasticsearch.audit.request.name": "SearchFreeContextRequest", "elasticsearch.audit.user.roles": [ + "foo_reader", "kibana_user", - "my_custom_role_1", - "foo_reader" + "my_custom_role_1" ], "elasticsearch.node.name": "NodeName-0", "event.category": "database", diff --git a/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json b/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json index 5419e2e63ea..7b6233381c9 100644 --- a/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json @@ -18,8 +18,8 @@ "elasticsearch.audit.request.name": "MultiGetShardRequest", "elasticsearch.audit.user.realm": "native1", "elasticsearch.audit.user.roles": [ - "logstash_admin", - "cluster_monitor" + "cluster_monitor", + "logstash_admin" ], "elasticsearch.node.id": "vvj136QVQ2Ci2aXmrhyi3Q", "event.action": "access_granted", diff --git a/filebeat/module/elasticsearch/gc/test/gc.log-expected.json b/filebeat/module/elasticsearch/gc/test/gc.log-expected.json index 41943abdf00..0e4e1d2878c 100644 --- a/filebeat/module/elasticsearch/gc/test/gc.log-expected.json +++ b/filebeat/module/elasticsearch/gc/test/gc.log-expected.json @@ -19,9 +19,9 @@ { "@timestamp": "2018-06-13T07:44:22.647Z", "elasticsearch.gc.tags": [ + "coops", "gc", - "heap", - "coops" + "heap" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -737,8 +737,8 @@ { "@timestamp": "2018-06-13T07:44:24.343Z", "elasticsearch.gc.tags": [ - "gc", - "age" + "age", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -755,8 +755,8 @@ { "@timestamp": "2018-06-13T07:44:24.343Z", "elasticsearch.gc.tags": [ - "gc", - "age" + "age", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -773,8 +773,8 @@ { "@timestamp": "2018-06-13T07:44:24.343Z", "elasticsearch.gc.tags": [ - "gc", - "age" + "age", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -864,8 +864,8 @@ { "@timestamp": "2018-06-13T07:44:24.343Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -951,8 +951,8 @@ { "@timestamp": "2018-06-13T07:44:24.347Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1038,8 +1038,8 @@ { "@timestamp": "2018-06-13T07:44:24.348Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1090,8 +1090,8 @@ { "@timestamp": "2018-06-13T07:44:24.350Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1176,8 +1176,8 @@ { "@timestamp": "2018-06-13T07:44:24.595Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1246,8 +1246,8 @@ { "@timestamp": "2018-06-13T07:44:24.618Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1315,8 +1315,8 @@ { "@timestamp": "2018-06-13T07:44:24.618Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1367,8 +1367,8 @@ { "@timestamp": "2018-06-13T07:44:24.619Z", "elasticsearch.gc.tags": [ - "gc", - "cpu" + "cpu", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1628,8 +1628,8 @@ { "@timestamp": "2018-06-13T07:44:25.167Z", "elasticsearch.gc.tags": [ - "gc", - "age" + "age", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1646,8 +1646,8 @@ { "@timestamp": "2018-06-13T07:44:25.167Z", "elasticsearch.gc.tags": [ - "gc", - "age" + "age", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1664,8 +1664,8 @@ { "@timestamp": "2018-06-13T07:44:25.167Z", "elasticsearch.gc.tags": [ - "gc", - "age" + "age", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", @@ -1682,8 +1682,8 @@ { "@timestamp": "2018-06-13T07:44:25.167Z", "elasticsearch.gc.tags": [ - "gc", - "age" + "age", + "gc" ], "event.category": "database", "event.dataset": "elasticsearch.gc", diff --git a/filebeat/module/elasticsearch/server/test/test-json.log-expected.json b/filebeat/module/elasticsearch/server/test/test-json.log-expected.json index e0b676a3df3..ef3ba6a194e 100644 --- a/filebeat/module/elasticsearch/server/test/test-json.log-expected.json +++ b/filebeat/module/elasticsearch/server/test/test-json.log-expected.json @@ -972,53 +972,53 @@ "elasticsearch.component": "test", "elasticsearch.node.name": "sample-name", "elasticsearch.server.stacktrace": [ - "java.lang.Exception: {", - " \"terms\" : {", - " \"user\" : [", " \"u1\",", " \"u2\",", " \"u3\"", - " ],", " \"boost\" : 1.0", + " \"user\" : [", + " ],", + " \"terms\" : {", " }", - "}", - "at org.elasticsearch.common.logging.JsonLoggerTests.testJsonInStacktraceMessageIsSplitted(JsonLoggerTests.java:159) [test/:?]", - "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]", - "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]", - "at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]", - "at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:938) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:974) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:988) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:49) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:48) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:832) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:883) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:894) [randomizedtesting-runner-2.7.1.jar:?]", - "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at org.apache.lucene.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:41) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:938) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:974) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at java.lang.Thread.run(Thread.java:834) [?:?]", + "at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]", + "at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]", + "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]", + "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]", + "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", "at org.apache.lucene.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", "at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", "at org.apache.lucene.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:54) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", - "at java.lang.Thread.run(Thread.java:834) [?:?]" + "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:49) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:41) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:48) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.elasticsearch.common.logging.JsonLoggerTests.testJsonInStacktraceMessageIsSplitted(JsonLoggerTests.java:159) [test/:?]", + "java.lang.Exception: {", + "}" ], "event.category": "database", "event.dataset": "elasticsearch.server", @@ -1058,46 +1058,46 @@ "elasticsearch.component": "test", "elasticsearch.node.name": "sample-name", "elasticsearch.server.stacktrace": [ - "java.lang.Exception: exception message", - "at org.elasticsearch.common.logging.JsonLoggerTests.testStacktrace(JsonLoggerTests.java:125) [test/:?]", - "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]", - "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]", - "at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]", - "at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:938) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:974) [randomizedtesting-runner-2.7.1.jar:?]", + "... 37 more", + "Caused by: java.lang.RuntimeException: cause message", "at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:988) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:49) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:48) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:832) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:883) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:894) [randomizedtesting-runner-2.7.1.jar:?]", - "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at org.apache.lucene.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:41) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:938) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:974) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", + "at java.lang.Thread.run(Thread.java:834) [?:?]", + "at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]", + "at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]", + "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]", + "at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]", + "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:45) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", "at org.apache.lucene.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", "at org.apache.lucene.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:64) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", "at org.apache.lucene.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:54) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", - "at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36) [randomizedtesting-runner-2.7.1.jar:?]", - "at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368) [randomizedtesting-runner-2.7.1.jar:?]", - "at java.lang.Thread.run(Thread.java:834) [?:?]", - "Caused by: java.lang.RuntimeException: cause message", - "... 37 more" + "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:47) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:49) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:41) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.apache.lucene.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:48) [lucene-test-framework-8.0.0-snapshot-a1c6e642aa.jar:8.0.0-snapshot-a1c6e642aa a1c6e642aad90d3615b4c71bf261a5aad7e32369 - nknize - 2019-01-02 14:49:38]", + "at org.elasticsearch.common.logging.JsonLoggerTests.testStacktrace(JsonLoggerTests.java:125) [test/:?]", + "java.lang.Exception: exception message" ], "event.category": "database", "event.dataset": "elasticsearch.server", diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json index 4da9bc98f17..4ffaec05336 100644 --- a/filebeat/module/haproxy/log/test/default.log-expected.json +++ b/filebeat/module/haproxy/log/test/default.log-expected.json @@ -3,8 +3,8 @@ "destination.ip": "1.2.3.4", "destination.port": 5000, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "haproxy.log", "event.kind": "event", diff --git a/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json b/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json index 5f37c7d4e43..b703a62dc8c 100644 --- a/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json +++ b/filebeat/module/iis/access/test/test-iis-7.2.log-expected.json @@ -5,8 +5,8 @@ "destination.ip": "10.44.0.136", "destination.port": 8080, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -25,8 +25,8 @@ "input.type": "log", "log.offset": 0, "related.ip": [ - "10.50.6.188", - "10.44.0.136" + "10.44.0.136", + "10.50.6.188" ], "service.type": "iis", "source.address": "10.50.6.188", @@ -49,8 +49,8 @@ "destination.ip": "10.44.0.136", "destination.port": 8080, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 46000000, @@ -69,8 +69,8 @@ "input.type": "log", "log.offset": 213, "related.ip": [ - "10.50.6.188", - "10.44.0.136" + "10.44.0.136", + "10.50.6.188" ], "service.type": "iis", "source.address": "10.50.6.188", @@ -93,8 +93,8 @@ "destination.ip": "10.44.0.136", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -113,8 +113,8 @@ "input.type": "log", "log.offset": 426, "related.ip": [ - "10.50.6.188", - "10.44.0.136" + "10.44.0.136", + "10.50.6.188" ], "service.type": "iis", "source.address": "10.50.6.188", @@ -135,8 +135,8 @@ "destination.ip": "10.44.0.136", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -155,8 +155,8 @@ "input.type": "log", "log.offset": 568, "related.ip": [ - "10.50.6.188", - "10.44.0.136" + "10.44.0.136", + "10.50.6.188" ], "service.type": "iis", "source.address": "10.50.6.188", @@ -177,8 +177,8 @@ "destination.ip": "10.44.0.136", "destination.port": 8080, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 15000000, @@ -197,8 +197,8 @@ "input.type": "log", "log.offset": 702, "related.ip": [ - "10.50.6.188", - "10.44.0.136" + "10.44.0.136", + "10.50.6.188" ], "service.type": "iis", "source.address": "10.50.6.188", diff --git a/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json b/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json index df3c9df6d04..834b21be30a 100644 --- a/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json +++ b/filebeat/module/iis/access/test/test-iis-7.5.log-expected.json @@ -5,8 +5,8 @@ "destination.ip": "10.100.220.70", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 792000000, @@ -47,8 +47,8 @@ "destination.ip": "10.0.140.107", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 15000000, @@ -67,8 +67,8 @@ "input.type": "log", "log.offset": 532, "related.ip": [ - "10.0.140.2", - "10.0.140.107" + "10.0.140.107", + "10.0.140.2" ], "service.type": "iis", "source.address": "10.0.140.2", @@ -82,8 +82,8 @@ "destination.ip": "10.0.140.107", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 15000000, @@ -102,8 +102,8 @@ "input.type": "log", "log.offset": 619, "related.ip": [ - "10.0.140.2", - "10.0.140.107" + "10.0.140.107", + "10.0.140.2" ], "service.type": "iis", "source.address": "10.0.140.2", @@ -117,8 +117,8 @@ "destination.ip": "2001:cdba:0000:0000:0000:0000:3257:9652", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 15000000, diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json index 35ce856496d..dd5e3317cd0 100644 --- a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json +++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json @@ -6,8 +6,8 @@ "destination.ip": "::1", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 789000000, diff --git a/filebeat/module/iis/access/test/test-x-forward-for-extended.log-expected.json b/filebeat/module/iis/access/test/test-x-forward-for-extended.log-expected.json index edcefdf8e65..3548ebb5683 100644 --- a/filebeat/module/iis/access/test/test-x-forward-for-extended.log-expected.json +++ b/filebeat/module/iis/access/test/test-x-forward-for-extended.log-expected.json @@ -6,8 +6,8 @@ "destination.ip": "10.24.129.162", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -33,8 +33,8 @@ "log.offset": 0, "network.forwarded_ip": "116.189.86.89", "related.ip": [ - "10.24.136.240", - "10.24.129.162" + "10.24.129.162", + "10.24.136.240" ], "service.type": "iis", "source.address": "10.24.136.240", @@ -58,8 +58,8 @@ "destination.ip": "10.24.129.162", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -84,8 +84,8 @@ "log.offset": 385, "network.forwarded_ip": "119.16.157.180", "related.ip": [ - "10.24.136.240", - "10.24.129.162" + "10.24.129.162", + "10.24.136.240" ], "service.type": "iis", "source.address": "10.24.136.240", @@ -106,8 +106,8 @@ "destination.ip": "10.24.129.162", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 15000000, @@ -134,8 +134,8 @@ "log.offset": 562, "network.forwarded_ip": "119.160.162.213", "related.ip": [ - "10.24.136.240", - "10.24.129.162" + "10.24.129.162", + "10.24.136.240" ], "service.type": "iis", "source.address": "10.24.136.240", @@ -160,8 +160,8 @@ "destination.ip": "10.24.129.162", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -188,8 +188,8 @@ "log.offset": 1035, "network.forwarded_ip": "119.160.162.213", "related.ip": [ - "10.24.136.240", - "10.24.129.162" + "10.24.129.162", + "10.24.136.240" ], "service.type": "iis", "source.address": "10.24.136.240", @@ -214,8 +214,8 @@ "destination.ip": "10.24.129.162", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 15000000, @@ -242,8 +242,8 @@ "log.offset": 1510, "network.forwarded_ip": "156.189.143.218", "related.ip": [ - "10.24.136.240", - "10.24.129.162" + "10.24.129.162", + "10.24.136.240" ], "service.type": "iis", "source.address": "10.24.136.240", @@ -268,8 +268,8 @@ "destination.ip": "10.24.129.162", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -296,8 +296,8 @@ "log.offset": 2265, "network.forwarded_ip": "156.189.143.218", "related.ip": [ - "10.24.136.240", - "10.24.129.162" + "10.24.129.162", + "10.24.136.240" ], "service.type": "iis", "source.address": "10.24.136.240", diff --git a/filebeat/module/iis/access/test/test-x-forward-for.log-expected.json b/filebeat/module/iis/access/test/test-x-forward-for.log-expected.json index 8977e920292..8e6597895f5 100644 --- a/filebeat/module/iis/access/test/test-x-forward-for.log-expected.json +++ b/filebeat/module/iis/access/test/test-x-forward-for.log-expected.json @@ -5,8 +5,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 26000000, @@ -27,8 +27,8 @@ "log.offset": 0, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -49,8 +49,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 32000000, @@ -71,8 +71,8 @@ "log.offset": 344, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -93,8 +93,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 46000000, @@ -115,8 +115,8 @@ "log.offset": 688, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -137,8 +137,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 32000000, @@ -159,8 +159,8 @@ "log.offset": 1029, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -182,8 +182,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 166000000, @@ -204,8 +204,8 @@ "log.offset": 1434, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -227,8 +227,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 60000000, @@ -249,8 +249,8 @@ "log.offset": 1900, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -271,8 +271,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 72000000, @@ -293,8 +293,8 @@ "log.offset": 2249, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -315,8 +315,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 88000000, @@ -337,8 +337,8 @@ "log.offset": 2600, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", @@ -359,8 +359,8 @@ "destination.ip": "192.168.16.11", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 286000000, @@ -381,8 +381,8 @@ "log.offset": 2952, "network.forwarded_ip": "192.168.198.23", "related.ip": [ - "192.168.7.63", - "192.168.16.11" + "192.168.16.11", + "192.168.7.63" ], "service.type": "iis", "source.address": "192.168.7.63", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index cd809c61bc7..2e04f8ef2b6 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -5,8 +5,8 @@ "destination.ip": "127.0.0.1", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 123000000, @@ -25,8 +25,8 @@ "input.type": "log", "log.offset": 257, "related.ip": [ - "85.181.35.98", - "127.0.0.1" + "127.0.0.1", + "85.181.35.98" ], "service.type": "iis", "source.address": "85.181.35.98", @@ -99,8 +99,8 @@ "destination.ip": "127.0.0.1", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 789000000, @@ -124,8 +124,8 @@ "input.type": "log", "log.offset": 1204, "related.ip": [ - "85.181.35.98", - "127.0.0.1" + "127.0.0.1", + "85.181.35.98" ], "service.type": "iis", "source.address": "85.181.35.98", @@ -157,8 +157,8 @@ "destination.ip": "10.44.0.136", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -177,8 +177,8 @@ "input.type": "log", "log.offset": 1447, "related.ip": [ - "10.50.6.188", - "10.44.0.136" + "10.44.0.136", + "10.50.6.188" ], "service.type": "iis", "source.address": "10.50.6.188", @@ -200,8 +200,8 @@ "destination.ip": "10.44.0.136", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.access", "event.duration": 0, @@ -220,8 +220,8 @@ "input.type": "log", "log.offset": 1802, "related.ip": [ - "10.50.6.188", - "10.44.0.136" + "10.44.0.136", + "10.50.6.188" ], "service.type": "iis", "source.address": "10.50.6.188", diff --git a/filebeat/module/iis/error/test/iis_error_url.log-expected.json b/filebeat/module/iis/error/test/iis_error_url.log-expected.json index dcfa5353878..7c1ea1d79e0 100644 --- a/filebeat/module/iis/error/test/iis_error_url.log-expected.json +++ b/filebeat/module/iis/error/test/iis_error_url.log-expected.json @@ -5,8 +5,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -46,8 +46,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -87,8 +87,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -126,8 +126,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -165,8 +165,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -206,8 +206,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -245,8 +245,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -285,8 +285,8 @@ "destination.ip": "192.168.101.101", "destination.port": 443, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", diff --git a/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json b/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json index e77f92bcc56..9afa95a9119 100644 --- a/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json +++ b/filebeat/module/iis/error/test/ipv6_zone_id.log-expected.json @@ -5,8 +5,8 @@ "destination.ip": "::1", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json index fdf8fa4bdf1..4be3dc9ae9a 100644 --- a/filebeat/module/iis/error/test/test.log-expected.json +++ b/filebeat/module/iis/error/test/test.log-expected.json @@ -5,8 +5,8 @@ "destination.ip": "172.31.77.6", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -41,8 +41,8 @@ "destination.ip": "127.0.0.1", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -60,8 +60,8 @@ "input.type": "log", "log.offset": 286, "related.ip": [ - "85.181.35.98", - "127.0.0.1" + "127.0.0.1", + "85.181.35.98" ], "service.type": "iis", "source.address": "85.181.35.98", @@ -87,8 +87,8 @@ "destination.ip": "127.0.0.1", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -106,8 +106,8 @@ "input.type": "log", "log.offset": 384, "related.ip": [ - "85.181.35.98", - "127.0.0.1" + "127.0.0.1", + "85.181.35.98" ], "service.type": "iis", "source.address": "85.181.35.98", @@ -132,8 +132,8 @@ "destination.ip": "127.0.0.1", "destination.port": 80, "event.category": [ - "web", - "network" + "network", + "web" ], "event.dataset": "iis.error", "event.kind": "event", @@ -147,8 +147,8 @@ "input.type": "log", "log.offset": 470, "related.ip": [ - "85.181.35.98", - "127.0.0.1" + "127.0.0.1", + "85.181.35.98" ], "service.type": "iis", "source.address": "85.181.35.98", diff --git a/filebeat/module/kibana/log/test/log.624.log-expected.json b/filebeat/module/kibana/log/test/log.624.log-expected.json index 0f988b9106c..118e4685043 100644 --- a/filebeat/module/kibana/log/test/log.624.log-expected.json +++ b/filebeat/module/kibana/log/test/log.624.log-expected.json @@ -12,9 +12,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:kibana@6.3.0", - "info" + "status" ], "log.offset": 0, "message": "Status changed from uninitialized to green - Ready", @@ -37,9 +37,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:elasticsearch@6.3.0", - "info" + "status" ], "log.offset": 243, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -62,9 +62,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:xpack_main@6.3.0", - "info" + "status" ], "log.offset": 515, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -87,9 +87,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:searchprofiler@6.3.0", - "info" + "status" ], "log.offset": 784, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -112,9 +112,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:ml@6.3.0", - "info" + "status" ], "log.offset": 1057, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -137,9 +137,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:tilemap@6.3.0", - "info" + "status" ], "log.offset": 1318, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -162,9 +162,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:watcher@6.3.0", - "info" + "status" ], "log.offset": 1584, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -187,9 +187,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:license_management@6.3.0", - "info" + "status" ], "log.offset": 1850, "message": "Status changed from uninitialized to green - Ready", @@ -212,9 +212,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:index_management@6.3.0", - "info" + "status" ], "log.offset": 2105, "message": "Status changed from uninitialized to green - Ready", @@ -237,9 +237,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:timelion@6.3.0", - "info" + "status" ], "log.offset": 2358, "message": "Status changed from uninitialized to green - Ready", @@ -262,9 +262,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:graph@6.3.0", - "info" + "status" ], "log.offset": 2603, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -287,9 +287,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:monitoring@6.3.0", - "info" + "status" ], "log.offset": 2867, "message": "Status changed from uninitialized to green - Ready", @@ -312,9 +312,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:security@6.3.0", - "info" + "status" ], "log.offset": 3114, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -377,9 +377,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:grokdebugger@6.3.0", - "info" + "status" ], "log.offset": 3846, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -402,9 +402,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:dashboard_mode@6.3.0", - "info" + "status" ], "log.offset": 4117, "message": "Status changed from uninitialized to green - Ready", @@ -427,9 +427,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:logstash@6.3.0", - "info" + "status" ], "log.offset": 4368, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -452,9 +452,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:apm@6.3.0", - "info" + "status" ], "log.offset": 4635, "message": "Status changed from uninitialized to green - Ready", @@ -477,9 +477,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:console@6.3.0", - "info" + "status" ], "log.offset": 4875, "message": "Status changed from uninitialized to green - Ready", @@ -502,9 +502,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:console_extensions@6.3.0", - "info" + "status" ], "log.offset": 5119, "message": "Status changed from uninitialized to green - Ready", @@ -527,9 +527,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:metrics@6.3.0", - "info" + "status" ], "log.offset": 5374, "message": "Status changed from uninitialized to green - Ready", @@ -572,9 +572,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:reporting@6.3.0", - "info" + "status" ], "log.offset": 5890, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -593,8 +593,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "listening", - "info" + "info", + "listening" ], "log.offset": 6158, "message": "Server running at http://localhost:5601", @@ -617,9 +617,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:elasticsearch@6.3.0", - "info" + "status" ], "log.offset": 6301, "message": "Status changed from yellow to green - Ready", @@ -638,8 +638,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "license", "info", + "license", "xpack" ], "log.offset": 6549, @@ -663,9 +663,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:xpack_main@6.3.0", - "info" + "status" ], "log.offset": 6787, "message": "Status changed from yellow to green - Ready", @@ -688,9 +688,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:searchprofiler@6.3.0", - "info" + "status" ], "log.offset": 7032, "message": "Status changed from yellow to green - Ready", @@ -713,9 +713,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:ml@6.3.0", - "info" + "status" ], "log.offset": 7281, "message": "Status changed from yellow to green - Ready", @@ -738,9 +738,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:tilemap@6.3.0", - "info" + "status" ], "log.offset": 7518, "message": "Status changed from yellow to green - Ready", @@ -763,9 +763,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:watcher@6.3.0", - "info" + "status" ], "log.offset": 7760, "message": "Status changed from yellow to green - Ready", @@ -788,9 +788,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:graph@6.3.0", - "info" + "status" ], "log.offset": 8002, "message": "Status changed from yellow to green - Ready", @@ -813,9 +813,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:security@6.3.0", - "info" + "status" ], "log.offset": 8242, "message": "Status changed from yellow to green - Ready", @@ -838,9 +838,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:grokdebugger@6.3.0", - "info" + "status" ], "log.offset": 8485, "message": "Status changed from yellow to green - Ready", @@ -863,9 +863,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:logstash@6.3.0", - "info" + "status" ], "log.offset": 8732, "message": "Status changed from yellow to green - Ready", @@ -888,9 +888,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:reporting@6.3.0", - "info" + "status" ], "log.offset": 8975, "message": "Status changed from yellow to green - Ready", @@ -910,8 +910,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "info", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 9219, "message": "Starting all Kibana monitoring collectors", @@ -930,8 +930,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "license", "info", + "license", "xpack" ], "log.offset": 9388, diff --git a/filebeat/module/kibana/log/test/log.verbose.624.log-expected.json b/filebeat/module/kibana/log/test/log.verbose.624.log-expected.json index e8cecf6d140..406565ad5cc 100644 --- a/filebeat/module/kibana/log/test/log.verbose.624.log-expected.json +++ b/filebeat/module/kibana/log/test/log.verbose.624.log-expected.json @@ -9,8 +9,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 0, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack", @@ -31,9 +31,9 @@ "kibana.log.meta.load.sockets.http.total": 0, "kibana.log.meta.load.sockets.https.total": 0, "kibana.log.meta.os.load": [ + 4.4111328125, 4.75537109375, - 5.1513671875, - 4.4111328125 + 5.1513671875 ], "kibana.log.meta.os.mem.free": 101990400, "kibana.log.meta.os.mem.total": 17179869184, @@ -64,8 +64,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/console", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 799, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/console", @@ -85,8 +85,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/elasticsearch", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 1085, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/elasticsearch", @@ -106,8 +106,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/input_control_vis", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 1383, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/input_control_vis", @@ -127,8 +127,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_doc_views", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 1689, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_doc_views", @@ -148,8 +148,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_vislib_vis_types", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 1987, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_vislib_vis_types", @@ -169,8 +169,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 2299, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kibana", @@ -190,8 +190,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/markdown_vis", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 2583, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/markdown_vis", @@ -211,8 +211,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metric_vis", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 2879, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metric_vis", @@ -232,8 +232,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metrics", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 3171, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metrics", @@ -253,8 +253,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/region_map", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 3457, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/region_map", @@ -274,8 +274,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/spy_modes", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 3749, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/spy_modes", @@ -295,8 +295,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/state_session_storage_redirect", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 4039, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/state_session_storage_redirect", @@ -316,8 +316,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/status_page", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 4371, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/status_page", @@ -337,8 +337,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/table_vis", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 4665, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/table_vis", @@ -358,8 +358,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tagcloud", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 4955, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tagcloud", @@ -379,8 +379,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tile_map", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 5243, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tile_map", @@ -400,8 +400,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/timelion", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 5531, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/timelion", @@ -421,8 +421,8 @@ "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/vega", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 5819, "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/vega", @@ -464,8 +464,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 6242, "message": "Initializing plugin kibana@kibana", @@ -488,9 +488,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:kibana@6.3.0", - "info" + "status" ], "log.offset": 6498, "message": "Status changed from uninitialized to green - Ready", @@ -511,8 +511,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 6741, "message": "Initializing plugin elasticsearch@kibana", @@ -535,9 +535,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:elasticsearch@6.3.0", - "info" + "status" ], "log.offset": 6937, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -560,9 +560,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:xpack_main@6.3.0", - "info" + "status" ], "log.offset": 9719, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -585,9 +585,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:searchprofiler@6.3.0", - "info" + "status" ], "log.offset": 12502, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -610,9 +610,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:ml@6.3.0", - "info" + "status" ], "log.offset": 15277, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -633,8 +633,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 15538, "message": "Initializing plugin kbn_vislib_vis_types@kibana", @@ -657,9 +657,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:tilemap@6.3.0", - "info" + "status" ], "log.offset": 18255, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -682,9 +682,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:watcher@6.3.0", - "info" + "status" ], "log.offset": 21028, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -707,9 +707,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:license_management@6.3.0", - "info" + "status" ], "log.offset": 23812, "message": "Status changed from uninitialized to green - Ready", @@ -732,9 +732,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:index_management@6.3.0", - "info" + "status" ], "log.offset": 26583, "message": "Status changed from uninitialized to green - Ready", @@ -755,8 +755,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 26836, "message": "Initializing plugin input_control_vis@kibana", @@ -777,8 +777,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 27040, "message": "Initializing plugin kbn_doc_views@kibana", @@ -799,8 +799,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 27236, "message": "Initializing plugin markdown_vis@kibana", @@ -821,8 +821,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 27430, "message": "Initializing plugin metric_vis@kibana", @@ -843,8 +843,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 27620, "message": "Initializing plugin region_map@kibana", @@ -865,8 +865,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 27810, "message": "Initializing plugin spy_modes@kibana", @@ -888,8 +888,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 27998, "message": "Initializing plugin state_session_storage_redirect@kibana", @@ -910,8 +910,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 28527, "message": "Initializing plugin status_page@kibana", @@ -932,8 +932,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 28719, "message": "Initializing plugin table_vis@kibana", @@ -954,8 +954,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 28907, "message": "Initializing plugin tagcloud@kibana", @@ -976,8 +976,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 29093, "message": "Initializing plugin tile_map@kibana", @@ -999,8 +999,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 29279, "message": "Initializing plugin timelion@kibana", @@ -1023,9 +1023,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:timelion@6.3.0", - "info" + "status" ], "log.offset": 29508, "message": "Status changed from uninitialized to green - Ready", @@ -1048,9 +1048,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:graph@6.3.0", - "info" + "status" ], "log.offset": 32258, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -1073,9 +1073,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:monitoring@6.3.0", - "info" + "status" ], "log.offset": 35032, "message": "Status changed from uninitialized to green - Ready", @@ -1098,9 +1098,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:security@6.3.0", - "info" + "status" ], "log.offset": 37787, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -1163,9 +1163,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:grokdebugger@6.3.0", - "info" + "status" ], "log.offset": 41031, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -1188,9 +1188,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:dashboard_mode@6.3.0", - "info" + "status" ], "log.offset": 43816, "message": "Status changed from uninitialized to green - Ready", @@ -1213,9 +1213,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:logstash@6.3.0", - "info" + "status" ], "log.offset": 46575, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -1238,9 +1238,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:apm@6.3.0", - "info" + "status" ], "log.offset": 49345, "message": "Status changed from uninitialized to green - Ready", @@ -1265,8 +1265,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 52090, "message": "Initializing plugin console@6.3.0", @@ -1289,9 +1289,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:console@6.3.0", - "info" + "status" ], "log.offset": 52374, "message": "Status changed from uninitialized to green - Ready", @@ -1314,9 +1314,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:console_extensions@6.3.0", - "info" + "status" ], "log.offset": 55136, "message": "Status changed from uninitialized to green - Ready", @@ -1338,8 +1338,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 55391, "message": "Initializing plugin metrics@6.3.0", @@ -1362,9 +1362,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:metrics@6.3.0", - "info" + "status" ], "log.offset": 55615, "message": "Status changed from uninitialized to green - Ready", @@ -1386,8 +1386,8 @@ "kibana.log.meta.plugin.version": "kibana", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugins", - "debug" + "debug", + "plugins" ], "log.offset": 55859, "message": "Initializing plugin vega@kibana", @@ -1406,9 +1406,9 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", "debug", - "exportTypes" + "exportTypes", + "reporting" ], "log.offset": 58589, "message": "Found exportType at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack/plugins/reporting/export_types/csv/server/index.js", @@ -1427,9 +1427,9 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", "debug", - "exportTypes" + "exportTypes", + "reporting" ], "log.offset": 58853, "message": "Found exportType at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack/plugins/reporting/export_types/printable_pdf/server/index.js", @@ -1468,8 +1468,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", - "debug" + "debug", + "reporting" ], "log.offset": 59399, "message": "Browser type: phantom", @@ -1492,9 +1492,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "yellow", "kibana.log.tags": [ - "status", + "info", "plugin:reporting@6.3.0", - "info" + "status" ], "log.offset": 59525, "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", @@ -1513,8 +1513,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", - "debug" + "debug", + "reporting" ], "log.offset": 59793, "message": "Running on os \"darwin\", distribution \"undefined\", release \"undefined\"", @@ -1533,8 +1533,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", - "debug" + "debug", + "reporting" ], "log.offset": 59973, "message": "Browser installed at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/data/phantomjs-2.1.1-macosx/bin/phantomjs", @@ -1553,9 +1553,9 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ + "debug", "reporting", - "worker", - "debug" + "worker" ], "log.offset": 60195, "message": "CSV: Registering CSV worker", @@ -1574,10 +1574,10 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", + "debug", "esqueue", - "worker", - "debug" + "reporting", + "worker" ], "log.offset": 60336, "message": "jgyzr8b31hu86bfe3bf3pw9w - Created worker for job type csv", @@ -1596,9 +1596,9 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ + "debug", "reporting", - "worker", - "debug" + "worker" ], "log.offset": 60518, "message": "PDF: Registering PDF worker", @@ -1617,10 +1617,10 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", + "debug", "esqueue", - "worker", - "debug" + "reporting", + "worker" ], "log.offset": 60659, "message": "jgyzr8b81hu86bfe3bf6jd27 - Created worker for job type printable_pdf", @@ -1660,8 +1660,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "listening", - "info" + "info", + "listening" ], "log.offset": 61037, "message": "Server running at http://localhost:5601", @@ -1680,8 +1680,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 61180, "message": "Checking Elasticsearch version", @@ -1704,9 +1704,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:elasticsearch@6.3.0", - "info" + "status" ], "log.offset": 61312, "message": "Status changed from yellow to green - Ready", @@ -1725,8 +1725,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "license", "debug", + "license", "xpack" ], "log.offset": 61560, @@ -1746,8 +1746,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "license", "info", + "license", "xpack" ], "log.offset": 61736, @@ -1767,8 +1767,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "monitoring-ui", - "es-client" + "es-client", + "monitoring-ui" ], "log.offset": 61974, "message": "config sourced from: production cluster (http://localhost:9200)", @@ -1791,9 +1791,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:xpack_main@6.3.0", - "info" + "status" ], "log.offset": 62150, "message": "Status changed from yellow to green - Ready", @@ -1816,9 +1816,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:searchprofiler@6.3.0", - "info" + "status" ], "log.offset": 62395, "message": "Status changed from yellow to green - Ready", @@ -1841,9 +1841,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:ml@6.3.0", - "info" + "status" ], "log.offset": 62644, "message": "Status changed from yellow to green - Ready", @@ -1866,9 +1866,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:tilemap@6.3.0", - "info" + "status" ], "log.offset": 62881, "message": "Status changed from yellow to green - Ready", @@ -1891,9 +1891,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:watcher@6.3.0", - "info" + "status" ], "log.offset": 63123, "message": "Status changed from yellow to green - Ready", @@ -1916,9 +1916,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:graph@6.3.0", - "info" + "status" ], "log.offset": 63365, "message": "Status changed from yellow to green - Ready", @@ -1941,9 +1941,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:security@6.3.0", - "info" + "status" ], "log.offset": 63605, "message": "Status changed from yellow to green - Ready", @@ -1966,9 +1966,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:grokdebugger@6.3.0", - "info" + "status" ], "log.offset": 63848, "message": "Status changed from yellow to green - Ready", @@ -1991,9 +1991,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:logstash@6.3.0", - "info" + "status" ], "log.offset": 64095, "message": "Status changed from yellow to green - Ready", @@ -2016,9 +2016,9 @@ "kibana.log.meta.type": "log", "kibana.log.state": "green", "kibana.log.tags": [ - "status", + "info", "plugin:reporting@6.3.0", - "info" + "status" ], "log.offset": 64338, "message": "Status changed from yellow to green - Ready", @@ -2037,8 +2037,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "license", "debug", + "license", "xpack" ], "log.offset": 64582, @@ -2059,8 +2059,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "info", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 64764, "message": "Starting all Kibana monitoring collectors", @@ -2080,8 +2080,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "debug", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 64933, "message": "Initializing kibana_stats collector", @@ -2101,8 +2101,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "debug", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 65097, "message": "Setting logger for kibana_stats collector", @@ -2122,8 +2122,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "debug", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 65267, "message": "Setting logger for kibana_settings collector", @@ -2143,8 +2143,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "debug", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 65440, "message": "Fetching data from kibana_stats collector", @@ -2164,8 +2164,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "debug", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 65610, "message": "Uploading bulk Kibana monitoring payload", @@ -2184,8 +2184,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "license", "info", + "license", "xpack" ], "log.offset": 65779, @@ -2208,9 +2208,9 @@ "kibana.log.meta.load.sockets.http.total": 1, "kibana.log.meta.load.sockets.https.total": 0, "kibana.log.meta.os.load": [ + 4.42041015625, 4.85498046875, - 5.1650390625, - 4.42041015625 + 5.1650390625 ], "kibana.log.meta.os.mem.free": 60276736, "kibana.log.meta.os.mem.total": 17179869184, @@ -2241,8 +2241,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "debug", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 66573, "message": "Received Kibana Ops event data", @@ -2261,8 +2261,8 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "plugin", - "debug" + "debug", + "plugin" ], "log.offset": 66732, "message": "Checking Elasticsearch version", diff --git a/filebeat/module/kibana/log/test/test.log-expected.json b/filebeat/module/kibana/log/test/test.log-expected.json index 1fe93f5c75b..1f8ec762b4e 100644 --- a/filebeat/module/kibana/log/test/test.log-expected.json +++ b/filebeat/module/kibana/log/test/test.log-expected.json @@ -45,8 +45,8 @@ "kibana.log.meta.type": "log", "kibana.log.tags": [ "debug", - "monitoring-ui", - "kibana-monitoring" + "kibana-monitoring", + "monitoring-ui" ], "log.offset": 920, "message": "Fetching data from kibana_stats collector", @@ -65,9 +65,9 @@ "input.type": "log", "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", "debug", - "exportTypes" + "exportTypes", + "reporting" ], "log.offset": 1090, "message": "Found exportType at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack/plugins/reporting/export_types/csv/server/index.js", diff --git a/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json b/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json index c0337fac9c7..6ff825c3288 100644 --- a/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json +++ b/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json @@ -729,8 +729,8 @@ "event.kind": "event", "event.module": "mongodb", "event.type": [ - "info", - "error" + "error", + "info" ], "fileset.name": "log", "input.type": "log", diff --git a/filebeat/module/mysql/error/test/mariadb-10.4.8.log-expected.json b/filebeat/module/mysql/error/test/mariadb-10.4.8.log-expected.json index 9027223418b..f5bc13d0ba9 100644 --- a/filebeat/module/mysql/error/test/mariadb-10.4.8.log-expected.json +++ b/filebeat/module/mysql/error/test/mariadb-10.4.8.log-expected.json @@ -531,8 +531,8 @@ "event.module": "mysql", "event.timezone": "-02:00", "event.type": [ - "info", - "error" + "error", + "info" ], "fileset.name": "error", "input.type": "log", diff --git a/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json index f24d8d9fe61..c9c94ad66b0 100644 --- a/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json +++ b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json @@ -460,8 +460,8 @@ "event.module": "mysql", "event.timezone": "-02:00", "event.type": [ - "info", - "error" + "error", + "info" ], "fileset.name": "error", "input.type": "log", @@ -741,8 +741,8 @@ "event.module": "mysql", "event.timezone": "-02:00", "event.type": [ - "info", - "error" + "error", + "info" ], "fileset.name": "error", "input.type": "log", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index 85ba8c494f3..7de74d8c540 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -22,8 +22,8 @@ "input.type": "log", "log.offset": 0, "nginx.access.remote_ip_list": [ - "10.0.0.2", "10.0.0.1", + "10.0.0.2", "127.0.0.1" ], "related.ip": [ @@ -108,8 +108,8 @@ "input.type": "log", "log.offset": 365, "nginx.access.remote_ip_list": [ - "10.0.0.2", "10.0.0.1", + "10.0.0.2", "85.181.35.98" ], "related.ip": [ @@ -216,10 +216,10 @@ "input.type": "log", "log.offset": 783, "nginx.access.remote_ip_list": [ + "10.2.1.185", "10.5.102.222", "199.96.1.1", - "204.246.1.1", - "10.2.1.185" + "204.246.1.1" ], "related.ip": [ "199.96.1.1" @@ -268,13 +268,13 @@ "input.type": "log", "log.offset": 950, "nginx.access.remote_ip_list": [ - "2a03:0000:10ff:f00f:0000:0000:0:8000", + "10.2.2.121", "10.225.192.17", - "10.2.2.121" + "2a03:0000:10ff:f00f:0000:0000:0:8000" ], "related.ip": [ - "2a03:0000:10ff:f00f:0000:0000:0:8000", - "1.2.3.4" + "1.2.3.4", + "2a03:0000:10ff:f00f:0000:0000:0:8000" ], "service.type": "nginx", "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", @@ -317,8 +317,8 @@ "127.0.0.1" ], "related.ip": [ - "127.0.0.1", - "1.2.3.4" + "1.2.3.4", + "127.0.0.1" ], "service.type": "nginx", "source.address": "127.0.0.1", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 60731f0cc10..dfbc56a940a 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -21,8 +21,8 @@ "input.type": "log", "log.offset": 0, "nginx.access.remote_ip_list": [ - "10.0.0.2", "10.0.0.1", + "10.0.0.2", "127.0.0.1" ], "related.ip": [ @@ -103,8 +103,8 @@ "input.type": "log", "log.offset": 341, "nginx.access.remote_ip_list": [ - "10.0.0.2", "10.0.0.1", + "10.0.0.2", "85.181.35.98" ], "related.ip": [ @@ -205,10 +205,10 @@ "input.type": "log", "log.offset": 732, "nginx.access.remote_ip_list": [ + "10.2.1.185", "10.5.102.222", "199.96.1.1", - "204.246.1.1", - "10.2.1.185" + "204.246.1.1" ], "related.ip": [ "199.96.1.1" @@ -255,9 +255,9 @@ "input.type": "log", "log.offset": 884, "nginx.access.remote_ip_list": [ - "2a03:0000:10ff:f00f:0000:0000:0:8000", + "10.2.2.121", "10.225.192.17", - "10.2.2.121" + "2a03:0000:10ff:f00f:0000:0000:0:8000" ], "related.ip": [ "2a03:0000:10ff:f00f:0000:0000:0:8000" diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 7a9e13bf58e..af9633b7bb6 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -1365,8 +1365,8 @@ "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 100, "nginx.ingress_controller.upstream.response.length_list": [ - "61", - "100" + "100", + "61" ], "nginx.ingress_controller.upstream.response.status_code": 203, "nginx.ingress_controller.upstream.response.status_code_list": [ @@ -1375,8 +1375,8 @@ ], "nginx.ingress_controller.upstream.response.time": 0.104, "nginx.ingress_controller.upstream.response.time_list": [ - "0.100", - "0.004" + "0.004", + "0.100" ], "nginx.ingress_controller.upstream_address_list": [ "172.17.0.6:8080", @@ -1432,8 +1432,8 @@ "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 100, "nginx.ingress_controller.upstream.response.length_list": [ - "61", - "100" + "100", + "61" ], "nginx.ingress_controller.upstream.response.status_code": 203, "nginx.ingress_controller.upstream.response.status_code_list": [ @@ -1442,8 +1442,8 @@ ], "nginx.ingress_controller.upstream.response.time": 0.104, "nginx.ingress_controller.upstream.response.time_list": [ - "0.100", - "0.004" + "0.004", + "0.100" ], "nginx.ingress_controller.upstream_address_list": [ "172.17.0.6:8080", diff --git a/filebeat/module/pensando/dfw/test/test.log-expected.json b/filebeat/module/pensando/dfw/test/test.log-expected.json index d43ffdea29c..ae3ad50d0fa 100644 --- a/filebeat/module/pensando/dfw/test/test.log-expected.json +++ b/filebeat/module/pensando/dfw/test/test.log-expected.json @@ -15,8 +15,8 @@ "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "dfw", "input.type": "log", @@ -59,8 +59,8 @@ "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "dfw", "input.type": "log", @@ -103,8 +103,8 @@ "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "dfw", "input.type": "log", diff --git a/filebeat/module/santa/log/test/santa.log-expected.json b/filebeat/module/santa/log/test/santa.log-expected.json index 589aeae75f8..2feefb8885e 100644 --- a/filebeat/module/santa/log/test/santa.log-expected.json +++ b/filebeat/module/santa/log/test/santa.log-expected.json @@ -69,8 +69,8 @@ "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ "/usr/libexec/xpcproxy", - "xpcproxy", - "com.apple.systemstats.daily" + "com.apple.systemstats.daily", + "xpcproxy" ], "process.executable": "/usr/libexec/xpcproxy", "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", @@ -163,9 +163,9 @@ "log.offset": 1095, "log.original": "[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "--daily", "/usr/sbin/systemstats", - "/usr/sbin/systemstats", - "--daily" + "/usr/sbin/systemstats" ], "process.executable": "/usr/sbin/systemstats", "process.hash.sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f", @@ -259,8 +259,8 @@ "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ "/usr/libexec/xpcproxy", - "xpcproxy", - "com.adobe.AAM.Scheduler-1.0" + "com.adobe.AAM.Scheduler-1.0", + "xpcproxy" ], "process.executable": "/usr/libexec/xpcproxy", "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", @@ -305,10 +305,10 @@ "log.offset": 2202, "log.original": "[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ - "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", - "/usr/local/bin/osqueryd", "--flagfile=/private/var/osquery/osquery.flags", - "--logger_min_stderr=1" + "--logger_min_stderr=1", + "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", + "/usr/local/bin/osqueryd" ], "process.executable": "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", "process.hash.sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1", @@ -397,19 +397,19 @@ "log.offset": 2899, "log.original": "[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M", "process.args": [ - "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", + "--field-trial-handle=120122713615061869,9401617251746517350,131072", + "--lang=en-US", + "--seatbelt-client=262", + "--service-request-channel-token=10458143409865682077", + "--service-sandbox-type=utility", + "--type=utility", "/Applications/Google", - "Chrome.app/Contents/Versions/70.0.3538.110/Google", + "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", "Chrome", - "Helper.app/Contents/MacOS/Google", "Chrome", + "Chrome.app/Contents/Versions/70.0.3538.110/Google", "Helper", - "--type=utility", - "--field-trial-handle=120122713615061869,9401617251746517350,131072", - "--lang=en-US", - "--service-sandbox-type=utility", - "--service-request-channel-token=10458143409865682077", - "--seatbelt-client=262" + "Helper.app/Contents/MacOS/Google" ], "process.executable": "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", "process.hash.sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7", diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json index 52501ff2a7c..a1c3aed164d 100644 --- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -34,8 +34,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ >/dev/null 2>&1", @@ -60,8 +60,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -123,8 +123,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xspkubktopzqiwiofvdhqaglconkrgwp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/ >/dev/null 2>&1", @@ -149,8 +149,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -212,8 +212,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vxcrqvczsrjrrsjcokculalhrgfsxqzl; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/ >/dev/null 2>&1", @@ -238,8 +238,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -301,8 +301,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-gruorqbeefuuhfprfoqzsftalatgwwvf; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/ >/dev/null 2>&1", @@ -327,8 +327,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -390,8 +390,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-fnthqelgspkbnpnxlsknzcbyxbqqxpmt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/ >/dev/null 2>&1", @@ -416,8 +416,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -492,8 +492,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-wagdvfiuqxtryvmyrqlfcwoxeqqrxejt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/async_wrapper 321853834469 45 /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/command /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/arguments; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/ >/dev/null 2>&1", @@ -518,8 +518,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -581,8 +581,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lkgydmrwiywdfvxfoxmgntufiumtzpmq; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/ >/dev/null 2>&1", @@ -607,8 +607,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -670,8 +670,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-mjsapklbglujaoktlsyytirwygexdily; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/ >/dev/null 2>&1", @@ -696,8 +696,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -759,8 +759,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-kvmafqtdnnvnyfyqlnoovickcavkqwdy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/setup; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/ >/dev/null 2>&1", @@ -785,8 +785,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -848,8 +848,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-nhrnwbdpypmsmvcstuihfqfbcvpxrmys; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/ >/dev/null 2>&1", @@ -874,8 +874,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -937,8 +937,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-buzartmsbrirxgcoibjpsqjkldihhexh; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/ >/dev/null 2>&1", @@ -963,8 +963,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1026,8 +1026,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-swwkpvmnxhcuduxerfbgclhsmgbhwzie; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/ >/dev/null 2>&1", @@ -1052,8 +1052,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1115,8 +1115,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-raffykohamlcbnpxzipksbvfpjbfpagy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/ >/dev/null 2>&1", @@ -1141,8 +1141,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1204,8 +1204,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-dfoxiractbmtavfiwfnhzfkftipjumph; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/ >/dev/null 2>&1", @@ -1230,8 +1230,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1293,8 +1293,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-jveaoynmhsmeodakzfhhaodihyroxobu; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/ >/dev/null 2>&1", @@ -1319,8 +1319,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1361,8 +1361,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] && echo \"${rc} \"/etc/metricbeat/metricbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 ", @@ -1403,8 +1403,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1487,8 +1487,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-yesyhegdrhiolusidthffdemrxphqdfm; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/copy; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/ >/dev/null 2>&1", @@ -1513,8 +1513,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1576,8 +1576,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vqbyiylfjufyxlwvxcwusklrtmiekpia; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/ >/dev/null 2>&1", @@ -1602,8 +1602,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1665,8 +1665,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-osrbplljwskuafamtjuanhwfxqdxmfbj; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/wait_for; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/ >/dev/null 2>&1", @@ -1691,8 +1691,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1754,8 +1754,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xqypdfdxashhaekghbfnpdlcgsmfarmy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/ >/dev/null 2>&1", @@ -1780,8 +1780,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1843,8 +1843,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ktkmpxhjivossxngupfgrqfobhopruzp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/ >/dev/null 2>&1", @@ -1869,8 +1869,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -1932,8 +1932,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-erpqyqrmifxazcclvbqytjwxgdplhtpy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/ >/dev/null 2>&1", @@ -1958,8 +1958,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -2021,8 +2021,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-cfqjebskszjdqpksprlbjpbttastwzyp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/ >/dev/null 2>&1", @@ -2047,8 +2047,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -2110,8 +2110,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-oxbowrzvfhsebemuiblilqwvdxvnwztv; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/ >/dev/null 2>&1", @@ -2136,8 +2136,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "user.effective.name": "root", @@ -2199,8 +2199,8 @@ "precise32" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ohlhhhazvtawqawluadjlxglowwenmyc; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/ >/dev/null 2>&1", diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 25f2b8608b5..de48fc11540 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -167,8 +167,8 @@ "localhost" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/ls", @@ -223,8 +223,8 @@ "localhost" ], "related.user": [ - "vagrant", - "root" + "root", + "vagrant" ], "service.type": "system", "system.auth.sudo.command": "/bin/cat /var/log/secure", @@ -248,8 +248,8 @@ "precise32" ], "related.user": [ - "tsg", - "root" + "root", + "tsg" ], "service.type": "system", "system.auth.sudo.command": "/bin/ls", @@ -270,8 +270,8 @@ "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "auth", "group.id": "48", @@ -296,8 +296,8 @@ "event.outcome": "success", "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "auth", "group.id": "48", diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json index ccbaedf2039..fd083732af6 100644 --- a/filebeat/module/system/auth/test/timestamp.log-expected.json +++ b/filebeat/module/system/auth/test/timestamp.log-expected.json @@ -16,8 +16,8 @@ "localhost" ], "related.user": [ - "userauth3", - "root" + "root", + "userauth3" ], "service.type": "system", "user.effective.name": "root", diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 760847c8189..719086a0feb 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -202,6 +202,9 @@ def _test_expected_events(self, test_file, objects): for k, obj in enumerate(objects): objects[k] = self.flatten_object(obj, {}, "") clean_keys(objects[k]) + for key in objects[k].keys(): + if isinstance(objects[k][key], list): + objects[k][key].sort(key=str) json.dump(objects, f, indent=4, separators=(',', ': '), sort_keys=True) diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index 50253665f08..bb024ecae85 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -23,8 +23,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "cloudtrail", "group.name": "admin", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 47691a242dc..378b6f8b37f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -8,18 +8,18 @@ "aws.cloudtrail.flattened.request_parameters.roleArn": "arn:aws:iam::111111111111:role/JohnRole2", "aws.cloudtrail.flattened.request_parameters.roleSessionName": "Role2WithTags", "aws.cloudtrail.flattened.request_parameters.tags": [ - { - "key": "Email", - "value": "johndoe@example.com" - }, { "key": "CostCenter", "value": "12345" + }, + { + "key": "Email", + "value": "johndoe@example.com" } ], "aws.cloudtrail.flattened.request_parameters.transitiveTagKeys": [ - "Email", - "CostCenter" + "CostCenter", + "Email" ], "aws.cloudtrail.flattened.response_elements.assumedRoleUser.arn": "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", "aws.cloudtrail.flattened.response_elements.assumedRoleUser.assumedRoleId": "AROAIFR7WHDTSOYQYHFUE:Role2WithTags", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json index f6bb959a8d6..bf672d7bd36 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -23,8 +23,8 @@ "event.outcome": "failure", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", @@ -67,8 +67,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log-expected.json index e4cf4e32a06..2bb31cd7284 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log-expected.json @@ -5,35 +5,35 @@ "aws.cloudtrail.digest.log_files": [ { "hashAlgorithm": "SHA-256", - "hashValue": "420784a5bbc12e9ac442451e8ec1356744fdeabf4fee0d2222508db6d448139c", - "newestEventTime": "2020-09-11T19:26:24Z", - "oldestEventTime": "2020-09-11T19:26:24Z", + "hashValue": "2695aeb3b4c1f021fe76e0b36f5ac15e557c41c58af6eef282d77ef056210d70", + "newestEventTime": "2020-09-11T18:32:04Z", + "oldestEventTime": "2020-09-11T18:32:04Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1930Z_l2pGqVS53QcGdAkp.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1835Z_OPJhVNodH1gY760s.json.gz" }, { "hashAlgorithm": "SHA-256", - "hashValue": "4e1eb2a8b41d032cbb16e5449fc8f3eac304e7d43017a391b37c788c77336196", - "newestEventTime": "2020-09-11T19:11:18Z", - "oldestEventTime": "2020-09-11T19:11:18Z", + "hashValue": "9044f9a05d70688bc6f6048d5f8d00764ab65e132b8ffefb193b22ca4394d771", + "newestEventTime": "2020-09-11T18:37:10Z", + "oldestEventTime": "2020-09-11T18:37:10Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1915Z_TIKlbLnJ6IwUxqxw.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1840Z_btJydJ2t7hCRnjsN.json.gz" }, { "hashAlgorithm": "SHA-256", - "hashValue": "2695aeb3b4c1f021fe76e0b36f5ac15e557c41c58af6eef282d77ef056210d70", - "newestEventTime": "2020-09-11T18:32:04Z", - "oldestEventTime": "2020-09-11T18:32:04Z", + "hashValue": "94f09d2398632c7b0c0066ed5d56768632dd2e06ed9c80af9d0c2c5f59bd60b6", + "newestEventTime": "2020-09-11T18:41:58Z", + "oldestEventTime": "2020-09-11T18:41:58Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1835Z_OPJhVNodH1gY760s.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1845Z_TSDKyASOn2ejOq5n.json.gz" }, { "hashAlgorithm": "SHA-256", - "hashValue": "45a2906f55cbfc912584e9425f8d3d8d6fabf571a45a5ecd7d2a0f4132b81689", - "newestEventTime": "2020-09-11T19:21:28Z", - "oldestEventTime": "2020-09-11T19:21:28Z", + "hashValue": "18650414e79e084dff02da66253f071347f7bb5c4863279bafe7762a980f7c0b", + "newestEventTime": "2020-09-11T18:46:45Z", + "oldestEventTime": "2020-09-11T18:46:45Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1925Z_zJNGzQovyNAImZV9.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1850Z_jLldN7U8XrspES8p.json.gz" }, { "hashAlgorithm": "SHA-256", @@ -45,11 +45,11 @@ }, { "hashAlgorithm": "SHA-256", - "hashValue": "18650414e79e084dff02da66253f071347f7bb5c4863279bafe7762a980f7c0b", - "newestEventTime": "2020-09-11T18:46:45Z", - "oldestEventTime": "2020-09-11T18:46:45Z", + "hashValue": "b2b0e2804d1c6b92d76eee203d7eba32d3d003e6967f175723a83ecc2d7ad4ba", + "newestEventTime": "2020-09-11T18:56:05Z", + "oldestEventTime": "2020-09-11T18:56:05Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1850Z_jLldN7U8XrspES8p.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1900Z_6LjrkrhsLQMzCiSN.json.gz" }, { "hashAlgorithm": "SHA-256", @@ -61,43 +61,43 @@ }, { "hashAlgorithm": "SHA-256", - "hashValue": "6e0d8fcbd712d3f6d1caf4a872681f4290b05ed8a8f1c9450a0a6db92ccab4d7", - "newestEventTime": "2020-09-11T19:16:12Z", - "oldestEventTime": "2020-09-11T19:16:12Z", + "hashValue": "4397a13565a67d9ed6e57737b98eb7e61ca52bb191c9b5da0423136dfc5581c7", + "newestEventTime": "2020-09-11T19:06:31Z", + "oldestEventTime": "2020-09-11T19:06:31Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1920Z_bj5DRrmILF6jK23a.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1910Z_DLyqye8LaeoD204N.json.gz" }, { "hashAlgorithm": "SHA-256", - "hashValue": "b2b0e2804d1c6b92d76eee203d7eba32d3d003e6967f175723a83ecc2d7ad4ba", - "newestEventTime": "2020-09-11T18:56:05Z", - "oldestEventTime": "2020-09-11T18:56:05Z", + "hashValue": "4e1eb2a8b41d032cbb16e5449fc8f3eac304e7d43017a391b37c788c77336196", + "newestEventTime": "2020-09-11T19:11:18Z", + "oldestEventTime": "2020-09-11T19:11:18Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1900Z_6LjrkrhsLQMzCiSN.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1915Z_TIKlbLnJ6IwUxqxw.json.gz" }, { "hashAlgorithm": "SHA-256", - "hashValue": "4397a13565a67d9ed6e57737b98eb7e61ca52bb191c9b5da0423136dfc5581c7", - "newestEventTime": "2020-09-11T19:06:31Z", - "oldestEventTime": "2020-09-11T19:06:31Z", + "hashValue": "6e0d8fcbd712d3f6d1caf4a872681f4290b05ed8a8f1c9450a0a6db92ccab4d7", + "newestEventTime": "2020-09-11T19:16:12Z", + "oldestEventTime": "2020-09-11T19:16:12Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1910Z_DLyqye8LaeoD204N.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1920Z_bj5DRrmILF6jK23a.json.gz" }, { "hashAlgorithm": "SHA-256", - "hashValue": "94f09d2398632c7b0c0066ed5d56768632dd2e06ed9c80af9d0c2c5f59bd60b6", - "newestEventTime": "2020-09-11T18:41:58Z", - "oldestEventTime": "2020-09-11T18:41:58Z", + "hashValue": "45a2906f55cbfc912584e9425f8d3d8d6fabf571a45a5ecd7d2a0f4132b81689", + "newestEventTime": "2020-09-11T19:21:28Z", + "oldestEventTime": "2020-09-11T19:21:28Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1845Z_TSDKyASOn2ejOq5n.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1925Z_zJNGzQovyNAImZV9.json.gz" }, { "hashAlgorithm": "SHA-256", - "hashValue": "9044f9a05d70688bc6f6048d5f8d00764ab65e132b8ffefb193b22ca4394d771", - "newestEventTime": "2020-09-11T18:37:10Z", - "oldestEventTime": "2020-09-11T18:37:10Z", + "hashValue": "420784a5bbc12e9ac442451e8ec1356744fdeabf4fee0d2222508db6d448139c", + "newestEventTime": "2020-09-11T19:26:24Z", + "oldestEventTime": "2020-09-11T19:26:24Z", "s3Bucket": "alice-bucket", - "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1840Z_btJydJ2t7hCRnjsN.json.gz" + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1930Z_l2pGqVS53QcGdAkp.json.gz" } ], "aws.cloudtrail.digest.newest_event_time": "2020-09-11T19:26:24.000Z", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index bfce5b07ccb..142871a2cea 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -31,8 +31,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index 7487c6d6581..656d482cda5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -32,8 +32,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "cloudtrail", "group.id": "EXAMPLE_ID", @@ -81,8 +81,8 @@ "event.outcome": "failure", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "cloudtrail", "group.name": "TEST-GROUP", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index 65b0db2d293..37279a779e5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -26,8 +26,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index 5ab34b15c5f..bc904709e8f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -28,8 +28,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index 2639ed8a490..c7869c4daac 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -27,8 +27,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index 8146718df72..b12844b1e32 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -27,8 +27,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index d1c2ab6f9e7..3d00e29de8a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -26,8 +26,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "deletion" + "deletion", + "group" ], "fileset.name": "cloudtrail", "group.name": "TEST-GROUP", @@ -74,8 +74,8 @@ "event.outcome": "failure", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "deletion" + "deletion", + "group" ], "fileset.name": "cloudtrail", "group.name": "TEST-GROUP", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index d1f4415d4cd..6167b5b5df6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -27,8 +27,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index ac0c0163b5d..4017dfc7079 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -26,8 +26,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index ec713a1c41b..ae9fe4c2038 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -26,8 +26,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index 253bf3d4523..04c42b6b0f3 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -26,8 +26,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index 419a86799cc..582713d76f9 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -27,8 +27,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "cloudtrail", "group.name": "Admin", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index 4b30eaed7ae..86fc90b05d7 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -28,8 +28,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index 95827327cec..00ad8282705 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -24,8 +24,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "cloudtrail", "group.name": "TEST-GROUP", @@ -74,8 +74,8 @@ "event.outcome": "failure", "event.provider": "iam.amazonaws.com", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "cloudtrail", "group.name": "TEST-GROUP2", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index 6992dc1a978..924d11fa968 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -26,8 +26,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index 12efc4cf071..fd84ccb9049 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -28,8 +28,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", @@ -80,8 +80,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index 068c1db631a..dc72e8c5cad 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -24,8 +24,8 @@ "event.outcome": "success", "event.provider": "iam.amazonaws.com", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "cloudtrail", "input.type": "log", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json index 1f1b3e061b2..9e7aa834d8a 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json @@ -37,8 +37,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "78.24.182.42", - "158.109.0.1" + "158.109.0.1", + "78.24.182.42" ], "service.type": "aws", "source.address": "78.24.182.42", @@ -98,8 +98,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "78.24.182.42", - "158.109.0.1" + "158.109.0.1", + "78.24.182.42" ], "service.type": "aws", "source.address": "78.24.182.42", @@ -151,8 +151,8 @@ "network.packets": 4, "network.type": "ipv4", "related.ip": [ - "203.0.113.12", - "172.31.16.139" + "172.31.16.139", + "203.0.113.12" ], "service.type": "aws", "source.address": "203.0.113.12", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json index 6b9e4382bb5..a5fbe695b27 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json @@ -17,8 +17,8 @@ "log.offset": 65, "network.type": "ipv4", "related.ip": [ - "10.0.1.5", - "10.0.0.220" + "10.0.0.220", + "10.0.1.5" ], "service.type": "aws", "source.address": "10.0.1.5", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index 7f79d489595..24135b909e7 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -41,8 +41,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "52.213.180.42", - "10.0.0.62" + "10.0.0.62", + "52.213.180.42" ], "service.type": "aws", "source.address": "52.213.180.42", @@ -107,8 +107,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "52.213.180.42", - "10.0.0.62" + "10.0.0.62", + "52.213.180.42" ], "service.type": "aws", "source.address": "52.213.180.42", @@ -142,9 +142,9 @@ "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678", "aws.vpcflow.tcp_flags": "19", "aws.vpcflow.tcp_flags_array": [ + "ack", "fin", - "syn", - "ack" + "syn" ], "aws.vpcflow.type": "IPv4", "aws.vpcflow.version": "3", diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index 75e6eb05bb2..1fd194b5b9d 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -166,5 +166,220 @@ "user.full_name": "Test LTest", "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", "user.name": "c3813493-bf92-5123-2717-8a8b2979c38b" +<<<<<<< HEAD +======= + }, + { + "@timestamp": "2021-01-26T13:39:55.786Z", + "azure.correlation_id": "1ba108d9-9609-48be-baee-afc0885baa06", + "azure.resource.id": "/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam", + "azure.resource.provider": "Microsoft.aadiam", + "azure.signinlogs.category": "SignInLogs", + "azure.signinlogs.identity": "Doe, John", + "azure.signinlogs.operation_name": "Sign-in activity", + "azure.signinlogs.operation_version": "1.0", + "azure.signinlogs.properties.app_display_name": "Office365 Shell WCSS-Client", + "azure.signinlogs.properties.app_id": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "azure.signinlogs.properties.applied_conditional_access_policies": [ + { + "conditionsNotSatisfied": 0, + "conditionsSatisfied": 0, + "displayName": "ForceMFAfor B2C", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "id": "0dff3d49-001e-413f-86eb-2800e789674c", + "result": "notEnabled" + }, + { + "conditionsNotSatisfied": 1, + "conditionsSatisfied": 0, + "displayName": "Netscaler MFA", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "id": "ee756a5f-8c3b-41eb-8ace-0839597f718a", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "Baseline Policy: Blocks legacy authentication", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "id": "c1311105-97ac-4ebd-a866-5b215d066765", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "On-Prem Access Only", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "id": "123ebbf1-e868-4a77-bfd9-b59bd6c2412e", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "Baseline policy: Require MFA for admins", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "id": "a5527e71-9da1-41d0-859b-7ca84dae03a7", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 2, + "conditionsSatisfied": 1, + "displayName": "Test Policy", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "id": "cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa", + "result": "notApplied" + }, + { + "conditionsNotSatisfied": 8, + "conditionsSatisfied": 19, + "displayName": "Enforce Verification on External Access", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "id": "913f5adc-cd20-4b35-93b8-fbe145f68444", + "result": "notApplied" + } + ], + "azure.signinlogs.properties.authentication_details": [ + { + "RequestSequence": 0, + "StatusSequence": 0, + "authenticationMethod": "Previously satisfied", + "authenticationStepDateTime": "2021-01-26T13:39:55.7863053+00:00", + "authenticationStepRequirement": "Primary authentication", + "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", + "succeeded": true + } + ], + "azure.signinlogs.properties.authentication_processing_details": [ + { + "key": "Private Link Id", + "value": "0" + }, + { + "key": "IsCAEToken", + "value": "False" + }, + { + "key": "Azure AD App Authentication Library", + "value": "Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS" + }, + { + "key": "Domain Hint Present", + "value": "True" + }, + { + "key": "Login Hint Present", + "value": "True" + } + ], + "azure.signinlogs.properties.authentication_requirement": "singleFactorAuthentication", + "azure.signinlogs.properties.authentication_requirement_policies": [], + "azure.signinlogs.properties.client_app_used": "Browser", + "azure.signinlogs.properties.conditional_access_status": "success", + "azure.signinlogs.properties.correlation_id": "1ba108d9-9609-48be-baee-afc0885baa06", + "azure.signinlogs.properties.created_at": "2021-01-26T13:39:55.7863053+00:00", + "azure.signinlogs.properties.device_detail.browser": "Chrome 87.0.4280", + "azure.signinlogs.properties.device_detail.device_id": "", + "azure.signinlogs.properties.device_detail.operating_system": "Windows 10", + "azure.signinlogs.properties.flagged_for_review": false, + "azure.signinlogs.properties.id": "a9222177-db03-40ef-9b86-5b207ed72000", + "azure.signinlogs.properties.ip_address": "192.168.108.29", + "azure.signinlogs.properties.is_interactive": true, + "azure.signinlogs.properties.network_location_details": [], + "azure.signinlogs.properties.original_request_id": "a9222177-db03-40ef-9b86-5b207ed72000", + "azure.signinlogs.properties.processing_time_ms": 162, + "azure.signinlogs.properties.resource_display_name": "Microsoft Graph", + "azure.signinlogs.properties.resource_id": "00000003-0000-0000-c000-000000000000", + "azure.signinlogs.properties.resource_tenant_id": "19aa547c-22ab-606d-a4b6-541c5ce52b71", + "azure.signinlogs.properties.risk_detail": "none", + "azure.signinlogs.properties.risk_event_types": [], + "azure.signinlogs.properties.risk_event_types_v2": [], + "azure.signinlogs.properties.risk_level_aggregated": "none", + "azure.signinlogs.properties.risk_level_during_signin": "none", + "azure.signinlogs.properties.risk_state": "none", + "azure.signinlogs.properties.service_principal_id": "", + "azure.signinlogs.properties.status.error_code": 0, + "azure.signinlogs.properties.token_issuer_name": "", + "azure.signinlogs.properties.token_issuer_type": "AzureAD", + "azure.signinlogs.properties.user_display_name": "Doe, John", + "azure.signinlogs.properties.user_id": "762a6171-29d0-456b-b88b-ca7f7d99728d", + "azure.signinlogs.properties.user_principal_name": "john.doe@example.com", + "azure.signinlogs.properties.user_type": "Member", + "azure.signinlogs.result_signature": "None", + "azure.signinlogs.result_type": "0", + "azure.tenant_id": "19aa547c-22ab-606d-a4b6-541c5ce52b71", + "client.ip": "8.8.8.8", + "cloud.provider": "azure", + "event.action": "Sign-in activity", + "event.category": [ + "authentication" + ], + "event.dataset": "azure.signinlogs", + "event.duration": 0, + "event.kind": "event", + "event.module": "azure", + "event.original": "{\"Level\":4,\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"durationMs\":0,\"identity\":\"Doe, John\",\"location\":\"US\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office365 Shell WCSS-Client\",\"appId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"On-Prem Access Only\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"123ebbf1-e868-4a77-bfd9-b59bd6c2412e\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":0,\"displayName\":\"ForceMFAfor B2C\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"id\":\"0dff3d49-001e-413f-86eb-2800e789674c\",\"result\":\"notEnabled\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline policy: Require MFA for admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"a5527e71-9da1-41d0-859b-7ca84dae03a7\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline Policy: Blocks legacy authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"c1311105-97ac-4ebd-a866-5b215d066765\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"Netscaler MFA\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"ee756a5f-8c3b-41eb-8ace-0839597f718a\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":8,\"conditionsSatisfied\":19,\"displayName\":\"Enforce Verification on External Access\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"913f5adc-cd20-4b35-93b8-fbe145f68444\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Test Policy\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa\",\"result\":\"notApplied\"}],\"authenticationDetails\":[{\"RequestSequence\":0,\"StatusSequence\":0,\"authenticationMethod\":\"Previously satisfied\",\"authenticationStepDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"authenticationStepRequirement\":\"Primary authentication\",\"authenticationStepResultDetail\":\"First factor requirement satisfied by claim in the token\",\"succeeded\":true}],\"authenticationProcessingDetails\":[{\"key\":\"Domain Hint Present\",\"value\":\"True\"},{\"key\":\"Login Hint Present\",\"value\":\"True\"},{\"key\":\"Private Link Id\",\"value\":\"0\"},{\"key\":\"Azure AD App Authentication Library\",\"value\":\"Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"createdDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"deviceDetail\":{\"browser\":\"Chrome 87.0.4280\",\"deviceId\":\"\",\"operatingSystem\":\"Windows 10\"},\"flaggedForReview\":false,\"id\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"ipAddress\":\"192.168.108.29\",\"isInteractive\":true,\"location\":{\"city\":\"Pierre\",\"countryOrRegion\":\"US\",\"geoCoordinates\":{\"latitude\":44.567081451416016,\"longitude\":-100.26722717285156},\"state\":\"South Dakota\"},\"networkLocationDetails\":[],\"originalRequestId\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"processingTimeInMilliseconds\":162,\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\",\"userDisplayName\":\"Doe, John\",\"userId\":\"762a6171-29d0-456b-b88b-ca7f7d99728d\",\"userPrincipalName\":\"john.doe@example.com\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"time\":\"2021-01-26T13:39:55.7863053Z\"}", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "signinlogs", + "geo.city_name": "Pierre", + "geo.country_iso_code": "US", + "geo.country_name": "South Dakota", + "geo.location.lat": 44.567081451416016, + "geo.location.lon": -100.26722717285156, + "input.type": "log", + "log.level": 4, + "log.offset": 3390, + "related.ip": [ + "8.8.8.8" + ], + "service.type": "azure", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "tags": [ + "forwarded" + ], + "user.domain": "example.com", + "user.full_name": "Doe, John", + "user.id": "762a6171-29d0-456b-b88b-ca7f7d99728d", + "user.name": "john.doe", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36", + "user_agent.os.full": "Windows 10", + "user_agent.os.name": "Windows", + "user_agent.os.version": "10", + "user_agent.version": "87.0.4280.141" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index c9ab9284cfc..8836633e95d 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -495,8 +495,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.18.165.35", - "10.110.109.5" + "10.110.109.5", + "10.18.165.35" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, @@ -1008,8 +1008,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.hosts": [ - "vitaedi", - "neav6028.internal.domain" + "neav6028.internal.domain", + "vitaedi" ], "related.ip": [ "10.128.114.77" @@ -3159,8 +3159,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.178.30.158", - "10.1.6.115" + "10.1.6.115", + "10.178.30.158" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json index d2902dc24b6..76698d44be5 100644 --- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json @@ -101,8 +101,8 @@ "observer.vendor": "Elastic", "observer.version": "1.0.0-alpha", "related.hash": [ - "bc8bbe52f041fd17318f08a0f73762ce", - "a9796280592f86b74b27e370662d41eb" + "a9796280592f86b74b27e370662d41eb", + "bc8bbe52f041fd17318f08a0f73762ce" ], "related.ip": [ "1.2.3.4", diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index eefe063490d..237e6f0a8d5 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -78,10 +78,10 @@ "observer.vendor": "Check Point", "observer.version": "Check Point", "related.ip": [ - "52.173.84.157", "0.0.0.0", "192.168.101.100", - "192.168.103.254" + "192.168.103.254", + "52.173.84.157" ], "rule.category": "Business / Economy", "rule.uuid": "9e5e6e74-aa9a-4693-b9fe-53712dd27bea", diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json index 3087409c970..b0e7e06ebeb 100644 --- a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -174,8 +174,8 @@ "10.1.1.10" ], "related.ip": [ - "255.255.255.255", - "172.16.1.1" + "172.16.1.1", + "255.255.255.255" ], "rule.id": "605.0", "service.type": "cef", @@ -230,8 +230,8 @@ "10.1.1.1" ], "related.ip": [ - "192.168.1.1", - "172.16.1.1" + "172.16.1.1", + "192.168.1.1" ], "rule.id": "601.0", "service.type": "cef", diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json index 30fc5952b01..b9f1c2c5bfb 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json @@ -120,8 +120,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -242,8 +242,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -306,8 +306,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -361,8 +361,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -425,8 +425,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -480,8 +480,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -544,8 +544,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -599,8 +599,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -663,8 +663,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.81.142.43" + "104.81.142.43", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.81.142.43", @@ -718,8 +718,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -782,8 +782,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -837,8 +837,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -901,8 +901,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -956,8 +956,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1020,8 +1020,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -1075,8 +1075,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1139,8 +1139,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -1194,8 +1194,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1258,8 +1258,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -1313,8 +1313,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1377,8 +1377,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -1432,8 +1432,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1496,8 +1496,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -1551,8 +1551,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1615,8 +1615,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -1670,8 +1670,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1734,8 +1734,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -1789,8 +1789,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1853,8 +1853,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -1908,8 +1908,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -1972,8 +1972,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -2027,8 +2027,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -2091,8 +2091,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -2146,8 +2146,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -2258,8 +2258,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -2408,8 +2408,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -2516,8 +2516,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -2580,8 +2580,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -2635,8 +2635,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -2699,8 +2699,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -2754,8 +2754,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -2818,8 +2818,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -2873,8 +2873,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -2937,8 +2937,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -2992,8 +2992,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3056,8 +3056,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -3111,8 +3111,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3175,8 +3175,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -3278,8 +3278,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3342,8 +3342,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -3397,8 +3397,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3461,8 +3461,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -3516,8 +3516,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3580,8 +3580,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -3635,8 +3635,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3699,8 +3699,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -3754,8 +3754,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3818,8 +3818,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -3883,8 +3883,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -3938,8 +3938,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -3992,8 +3992,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4056,8 +4056,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -4111,8 +4111,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4175,8 +4175,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -4379,8 +4379,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4433,8 +4433,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4497,8 +4497,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.81.142.43" + "104.81.142.43", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.81.142.43", @@ -4552,8 +4552,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4616,8 +4616,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -4671,8 +4671,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4735,8 +4735,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -4790,8 +4790,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4854,8 +4854,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -4909,8 +4909,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -4973,8 +4973,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -5028,8 +5028,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -5092,8 +5092,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", @@ -5147,8 +5147,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -5211,8 +5211,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -5266,8 +5266,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -5330,8 +5330,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.41" + "192.124.249.41", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.41", @@ -5385,8 +5385,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -5449,8 +5449,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.36" + "192.124.249.36", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.36", @@ -5504,8 +5504,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -5568,8 +5568,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "104.99.234.45" + "104.99.234.45", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "104.99.234.45", @@ -5623,8 +5623,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.168.1.1" + "192.168.1.1", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.168.1.1", @@ -5687,8 +5687,8 @@ "observer.type": "firewall", "observer.vendor": "Checkpoint", "related.ip": [ - "192.168.1.100", - "192.124.249.31" + "192.124.249.31", + "192.168.1.100" ], "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", "server.ip": "192.124.249.31", diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json index 6f6bb95e97a..c37bb94fda0 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json @@ -46,15 +46,15 @@ "log.offset": 0, "related.hash": [ "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", - "c877b67a5733c59d0d8ed8d519df0c91", - "128aa78059540cf0cdae2a3cea30cd80e00f2046" + "128aa78059540cf0cdae2a3cea30cd80e00f2046", + "c877b67a5733c59d0d8ed8d519df0c91" ], "related.hosts": [ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -97,8 +97,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -159,16 +159,16 @@ "process.name": "svchost.exe", "process.pid": 896, "related.hash": [ - "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", "0fe5be3811a98ee6a9c997d3812d911a", + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", "cf162622e29bca072d01b274fbbc3ceaacdd13c7" ], "related.hosts": [ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -223,8 +223,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -278,8 +278,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -340,16 +340,16 @@ "process.name": "svchost.exe", "process.pid": 896, "related.hash": [ - "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", "0fe5be3811a98ee6a9c997d3812d911a", + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", "cf162622e29bca072d01b274fbbc3ceaacdd13c7" ], "related.hosts": [ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -417,8 +417,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -473,8 +473,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -532,8 +532,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -591,8 +591,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -650,8 +650,8 @@ "Demo_AMP_Threat_Quarantined" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -709,8 +709,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -768,8 +768,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -828,8 +828,8 @@ "Demo_Low_Prev_Retro" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -880,8 +880,8 @@ "Demo_BP_WMIPRVSE" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -945,8 +945,8 @@ "Demo_BP_WMIPRVSE" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1007,8 +1007,8 @@ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1060,16 +1060,16 @@ "input.type": "log", "log.offset": 30050, "related.hash": [ - "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", "41476df3138717868118d8542cf3d1d6", - "5ca4bef8de6def53519d4b22632675bb4c1e470b" + "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86" ], "related.hosts": [ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1127,8 +1127,8 @@ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1181,8 +1181,8 @@ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1234,16 +1234,16 @@ "input.type": "log", "log.offset": 34132, "related.hash": [ - "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", "41476df3138717868118d8542cf3d1d6", - "5ca4bef8de6def53519d4b22632675bb4c1e470b" + "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86" ], "related.hosts": [ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1286,8 +1286,8 @@ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1341,8 +1341,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1394,8 +1394,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1453,8 +1453,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1509,15 +1509,15 @@ "log.offset": 39856, "related.hash": [ "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", - "84b6f7be5370c1998886214790c6892b", - "5faebef3bb880489195e80e6656ccf442ff7123b" + "5faebef3bb880489195e80e6656ccf442ff7123b", + "84b6f7be5370c1998886214790c6892b" ], "related.hosts": [ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1668,8 +1668,8 @@ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1712,8 +1712,8 @@ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1771,8 +1771,8 @@ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1830,8 +1830,8 @@ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1883,8 +1883,8 @@ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1942,8 +1942,8 @@ "Demo_AMP_Exploit_Prevention_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1986,8 +1986,8 @@ "Demo_AMP_Exploit_Prevention_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2048,16 +2048,16 @@ "process.name": "explorer.exe", "process.pid": 2632, "related.hash": [ - "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9", + "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c", "cfdd16225e67471f5ef54cab9b3a5558", - "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c" + "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9" ], "related.hosts": [ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2112,8 +2112,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2174,16 +2174,16 @@ "process.name": "powershell.exe", "process.pid": 4868, "related.hash": [ - "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117", + "7d9518ea3f98d037745352b23861fab05d3777dc", "c624d61b8f076c3ef05f74eeb96c8954", - "7d9518ea3f98d037745352b23861fab05d3777dc" + "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117" ], "related.hosts": [ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2238,8 +2238,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2297,8 +2297,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2356,8 +2356,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2430,8 +2430,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2504,8 +2504,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2545,6 +2545,16 @@ ], "cisco.amp.timestamp_nanoseconds": 0, "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2017-11774", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774" + }, + { + "cve": "CVE-2017-8571", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571" + }, { "cve": "CVE-2017-0106", "name": "Microsoft Office", @@ -2552,11 +2562,6 @@ "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106", "version": "2016" }, - { - "cve": "CVE-2017-11774", - "score": "6.8", - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774" - }, { "cve": "CVE-2017-8506", "score": "9.3", @@ -2567,11 +2572,6 @@ "score": "9.3", "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507" }, - { - "cve": "CVE-2017-8571", - "score": "6.8", - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571" - }, { "cve": "CVE-2017-8663", "score": "9.3", @@ -2608,8 +2608,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2652,8 +2652,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2702,8 +2702,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2747,8 +2747,8 @@ "Demo_AMP_Intel" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json index c26ba6d9286..997b660d8ed 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json @@ -37,17 +37,6 @@ "system_requirements": "Privileges to access certain files and directories", "tactics_names": "Collection" }, - { - "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs", - "description": "

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n", - "external_id": "T1053", - "mitre_name": "technique", - "mitre_url": "https://attack.mitre.org/techniques/T1053", - "name": "Scheduled Task/Job", - "permissions": "Administrator, SYSTEM, User", - "platforms": "Windows, Linux, macOS", - "tactics_names": "Execution, Persistence, Privilege Escalation" - }, { "data_sources": "Process monitoring, File monitoring, Process command-line parameters", "description": "

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n", @@ -58,6 +47,17 @@ "permissions": "User", "platforms": "Linux, macOS, Windows", "tactics_names": "Defense Evasion, Execution" + }, + { + "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs", + "description": "

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n", + "external_id": "T1053", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1053", + "name": "Scheduled Task/Job", + "permissions": "Administrator, SYSTEM, User", + "platforms": "Windows, Linux, macOS", + "tactics_names": "Execution, Persistence, Privilege Escalation" } ], "cisco.amp.threat_hunting.incident_end_time": "2020-06-18T11:12:50.000Z", @@ -91,17 +91,6 @@ "system_requirements": "Privileges to access certain files and directories", "tactics_names": "Collection" }, - { - "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs", - "description": "

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n", - "external_id": "T1053", - "mitre_name": "technique", - "mitre_url": "https://attack.mitre.org/techniques/T1053", - "name": "Scheduled Task/Job", - "permissions": "Administrator, SYSTEM, User", - "platforms": "Windows, Linux, macOS", - "tactics_names": "Execution, Persistence, Privilege Escalation" - }, { "data_sources": "Process monitoring, File monitoring, Process command-line parameters", "description": "

This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.

\n\n

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

\n\n

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

\n\n

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

\n", @@ -112,6 +101,17 @@ "permissions": "User", "platforms": "Linux, macOS, Windows", "tactics_names": "Defense Evasion, Execution" + }, + { + "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs", + "description": "

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

\n\n

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

\n", + "external_id": "T1053", + "mitre_name": "technique", + "mitre_url": "https://attack.mitre.org/techniques/T1053", + "name": "Scheduled Task/Job", + "permissions": "Administrator, SYSTEM, User", + "platforms": "Windows, Linux, macOS", + "tactics_names": "Execution, Persistence, Privilege Escalation" } ], "cisco.amp.timestamp_nanoseconds": 155518026, @@ -129,8 +129,8 @@ "Demo_Threat_Hunting" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -191,16 +191,16 @@ "process.name": "iexplore.exe", "process.pid": 4040, "related.hash": [ + "70aef829bec17195e6c8ec0e6cba0ed39f97ba48", "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", - "e2f5dcd966e26d54329e8d79c7201652", - "70aef829bec17195e6c8ec0e6cba0ed39f97ba48" + "e2f5dcd966e26d54329e8d79c7201652" ], "related.hosts": [ "Demo_Upatre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -264,16 +264,16 @@ "process.name": "iexplore.exe", "process.pid": 4040, "related.hash": [ + "70aef829bec17195e6c8ec0e6cba0ed39f97ba48", "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", - "e2f5dcd966e26d54329e8d79c7201652", - "70aef829bec17195e6c8ec0e6cba0ed39f97ba48" + "e2f5dcd966e26d54329e8d79c7201652" ], "related.hosts": [ "Demo_Upatre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -330,16 +330,16 @@ "input.type": "log", "log.offset": 15757, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -404,9 +404,9 @@ ], "related.ip": [ "10.10.0.0", + "10.10.10.10", "8.8.4.4", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -476,9 +476,9 @@ ], "related.ip": [ "10.10.0.0", + "10.10.10.10", "8.8.4.4", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -548,9 +548,9 @@ ], "related.ip": [ "10.10.0.0", + "10.10.10.10", "8.8.4.4", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -620,9 +620,9 @@ ], "related.ip": [ "10.10.0.0", + "10.10.10.10", "8.8.4.4", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -692,9 +692,9 @@ ], "related.ip": [ "10.10.0.0", + "10.10.10.10", "8.8.4.4", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -764,9 +764,9 @@ ], "related.ip": [ "10.10.0.0", + "10.10.10.10", "8.8.4.4", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -829,8 +829,8 @@ "Demo_Command_Line_Arguments_Meterpreter" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -885,16 +885,16 @@ "input.type": "log", "log.offset": 27431, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -952,8 +952,8 @@ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1008,16 +1008,16 @@ "input.type": "log", "log.offset": 30055, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1073,16 +1073,16 @@ "input.type": "log", "log.offset": 31381, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1138,16 +1138,16 @@ "input.type": "log", "log.offset": 32700, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1208,8 +1208,8 @@ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1264,16 +1264,16 @@ "input.type": "log", "log.offset": 35375, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1329,16 +1329,16 @@ "input.type": "log", "log.offset": 36701, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1394,16 +1394,16 @@ "input.type": "log", "log.offset": 38020, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1461,16 +1461,16 @@ "input.type": "log", "log.offset": 39339, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1528,16 +1528,16 @@ "input.type": "log", "log.offset": 40665, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1593,16 +1593,16 @@ "input.type": "log", "log.offset": 41991, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1658,16 +1658,16 @@ "input.type": "log", "log.offset": 43310, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1737,8 +1737,8 @@ "Demo_AMP_Exploit_Prevention" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1793,16 +1793,16 @@ "input.type": "log", "log.offset": 46087, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1858,16 +1858,16 @@ "input.type": "log", "log.offset": 47413, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1923,16 +1923,16 @@ "input.type": "log", "log.offset": 48732, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1990,16 +1990,16 @@ "input.type": "log", "log.offset": 50051, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2055,16 +2055,16 @@ "input.type": "log", "log.offset": 51377, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2120,16 +2120,16 @@ "input.type": "log", "log.offset": 52696, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2192,8 +2192,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2253,8 +2253,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2314,8 +2314,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2376,16 +2376,16 @@ "process.name": "explorer.exe", "process.pid": 3164, "related.hash": [ - "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", "b2e15a06b0cca8a926c94f8a8eae3d88", - "f9b02ad8d25157eebdb284631ff646316dc606d5" + "f9b02ad8d25157eebdb284631ff646316dc606d5", + "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc" ], "related.hosts": [ "Demo_Upatre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2443,16 +2443,16 @@ "input.type": "log", "log.offset": 59570, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2508,16 +2508,16 @@ "input.type": "log", "log.offset": 60896, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2573,16 +2573,16 @@ "input.type": "log", "log.offset": 62215, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2645,8 +2645,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2701,8 +2701,8 @@ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2754,16 +2754,16 @@ "input.type": "log", "log.offset": 66143, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json index 1722799bd5e..239f25b52bc 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json @@ -43,16 +43,16 @@ "input.type": "log", "log.offset": 0, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -106,16 +106,16 @@ "input.type": "log", "log.offset": 1317, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -169,16 +169,16 @@ "input.type": "log", "log.offset": 2642, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -232,16 +232,16 @@ "input.type": "log", "log.offset": 3967, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -295,16 +295,16 @@ "input.type": "log", "log.offset": 5292, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -358,16 +358,16 @@ "input.type": "log", "log.offset": 6617, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -421,16 +421,16 @@ "input.type": "log", "log.offset": 7942, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -484,16 +484,16 @@ "input.type": "log", "log.offset": 9267, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -547,16 +547,16 @@ "input.type": "log", "log.offset": 10592, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -610,16 +610,16 @@ "input.type": "log", "log.offset": 11917, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -673,16 +673,16 @@ "input.type": "log", "log.offset": 13242, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -736,16 +736,16 @@ "input.type": "log", "log.offset": 14567, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -799,16 +799,16 @@ "input.type": "log", "log.offset": 15892, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -862,16 +862,16 @@ "input.type": "log", "log.offset": 17217, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -925,16 +925,16 @@ "input.type": "log", "log.offset": 18542, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -988,16 +988,16 @@ "input.type": "log", "log.offset": 19867, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1051,16 +1051,16 @@ "input.type": "log", "log.offset": 21191, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1120,8 +1120,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1175,16 +1175,16 @@ "input.type": "log", "log.offset": 23834, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1238,16 +1238,16 @@ "input.type": "log", "log.offset": 25159, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1301,16 +1301,16 @@ "input.type": "log", "log.offset": 26489, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1371,16 +1371,16 @@ "process.name": "t.exe", "process.pid": 2712, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1437,16 +1437,16 @@ "input.type": "log", "log.offset": 29385, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1507,16 +1507,16 @@ "process.name": "t.exe", "process.pid": 2712, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1573,16 +1573,16 @@ "input.type": "log", "log.offset": 32281, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1643,16 +1643,16 @@ "process.name": "explorer.exe", "process.pid": 3164, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1715,8 +1715,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1777,16 +1777,16 @@ "process.name": "explorer.exe", "process.pid": 3164, "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "209a288c68207d57e0ce6e60ebf60729", + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" ], "related.hosts": [ "Demo_TeslaCrypt" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1849,8 +1849,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1910,8 +1910,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1966,16 +1966,16 @@ "input.type": "log", "log.offset": 40652, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2031,16 +2031,16 @@ "input.type": "log", "log.offset": 41978, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2098,16 +2098,16 @@ "input.type": "log", "log.offset": 43297, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2165,16 +2165,16 @@ "input.type": "log", "log.offset": 44622, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2230,16 +2230,16 @@ "input.type": "log", "log.offset": 45948, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2297,16 +2297,16 @@ "input.type": "log", "log.offset": 47266, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2369,8 +2369,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2423,16 +2423,16 @@ "input.type": "log", "log.offset": 49910, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2495,8 +2495,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2556,8 +2556,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2617,8 +2617,8 @@ "Demo_Dyre" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2673,16 +2673,16 @@ "input.type": "log", "log.offset": 55186, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2738,16 +2738,16 @@ "input.type": "log", "log.offset": 56512, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2805,16 +2805,16 @@ "input.type": "log", "log.offset": 57830, "related.hash": [ + "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b99e0a8c56f963246b6464b9fffbf7a2" ], "related.hosts": [ "Demo_AMP_Threat_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json index 3fb89dbd615..bbe9a2da5a1 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json @@ -45,16 +45,16 @@ "input.type": "log", "log.offset": 0, "related.hash": [ - "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", "41476df3138717868118d8542cf3d1d6", - "5ca4bef8de6def53519d4b22632675bb4c1e470b" + "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86" ], "related.hosts": [ "Demo_AMP" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -109,8 +109,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -164,8 +164,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -219,8 +219,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -285,8 +285,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -344,16 +344,16 @@ "input.type": "log", "log.offset": 6511, "related.hash": [ - "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", "b5ede95ec8bc4ad6984758be42b152bd", + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", "f504774b72acfb23a46217aec9c6559fd7e4df64" ], "related.hosts": [ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -419,8 +419,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -478,16 +478,16 @@ "input.type": "log", "log.offset": 9339, "related.hash": [ - "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", "b5ede95ec8bc4ad6984758be42b152bd", + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", "f504774b72acfb23a46217aec9c6559fd7e4df64" ], "related.hosts": [ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -542,8 +542,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -595,8 +595,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -650,8 +650,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -705,8 +705,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -760,8 +760,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -815,8 +815,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -870,8 +870,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -925,8 +925,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -980,8 +980,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1035,8 +1035,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1090,8 +1090,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1145,8 +1145,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1200,8 +1200,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1255,8 +1255,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1310,8 +1310,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1365,8 +1365,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1420,8 +1420,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1475,8 +1475,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1539,8 +1539,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1606,8 +1606,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1669,16 +1669,16 @@ "process.name": "tasksche.exe", "process.pid": 2920, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1740,16 +1740,16 @@ "process.name": "tasksche.exe", "process.pid": 2920, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1804,8 +1804,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1857,8 +1857,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1910,8 +1910,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1963,8 +1963,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2016,8 +2016,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2071,8 +2071,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2126,8 +2126,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2181,8 +2181,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2236,8 +2236,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2306,8 +2306,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2371,16 +2371,16 @@ "process.name": "tasksche.exe", "process.pid": 2920, "related.hash": [ + "47a9ad4125b6bd7c55e4e7da251e23f089407b8f", "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", - "4fef5e34143e646dbf9907c4374276f5", - "47a9ad4125b6bd7c55e4e7da251e23f089407b8f" + "4fef5e34143e646dbf9907c4374276f5" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2435,8 +2435,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2488,8 +2488,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2544,16 +2544,16 @@ "input.type": "log", "log.offset": 53765, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2611,16 +2611,16 @@ "input.type": "log", "log.offset": 55136, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2682,16 +2682,16 @@ "process.name": "mssecsvc.exe", "process.pid": 7144, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2753,16 +2753,16 @@ "process.name": "mssecsvc.exe", "process.pid": 7144, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2824,8 +2824,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2887,8 +2887,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2960,8 +2960,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3033,8 +3033,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3080,8 +3080,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3124,8 +3124,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3179,8 +3179,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3234,8 +3234,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3289,8 +3289,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3348,8 +3348,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3407,8 +3407,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3466,8 +3466,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3521,8 +3521,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3587,8 +3587,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3660,8 +3660,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3716,8 +3716,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3771,8 +3771,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3826,8 +3826,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3879,8 +3879,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3938,8 +3938,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3997,8 +3997,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4052,16 +4052,16 @@ "input.type": "log", "log.offset": 85948, "related.hash": [ + "99fffe78e0cbd7b508eed13a8633903dd89ed5f1", "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", - "dc41e47ebba549ec5e616ed9e88a0376", - "99fffe78e0cbd7b508eed13a8633903dd89ed5f1" + "dc41e47ebba549ec5e616ed9e88a0376" ], "related.hosts": [ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4115,8 +4115,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4170,8 +4170,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4225,8 +4225,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4280,8 +4280,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4335,8 +4335,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4390,8 +4390,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4445,8 +4445,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4500,8 +4500,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4555,8 +4555,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4610,8 +4610,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4665,8 +4665,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4720,8 +4720,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -4786,8 +4786,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -4849,16 +4849,16 @@ "process.name": "tasksche.exe", "process.pid": 2708, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -4920,8 +4920,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -4976,8 +4976,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -5031,8 +5031,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -5086,8 +5086,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -5141,8 +5141,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -5197,16 +5197,16 @@ "input.type": "log", "log.offset": 110571, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5264,16 +5264,16 @@ "input.type": "log", "log.offset": 111942, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5331,16 +5331,16 @@ "input.type": "log", "log.offset": 113313, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5398,16 +5398,16 @@ "input.type": "log", "log.offset": 114684, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5465,16 +5465,16 @@ "input.type": "log", "log.offset": 116055, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5532,16 +5532,16 @@ "input.type": "log", "log.offset": 117426, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5599,16 +5599,16 @@ "input.type": "log", "log.offset": 118797, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5666,16 +5666,16 @@ "input.type": "log", "log.offset": 120168, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5733,16 +5733,16 @@ "input.type": "log", "log.offset": 121539, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5800,16 +5800,16 @@ "input.type": "log", "log.offset": 122910, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -5875,8 +5875,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json index 7f5499ebf3c..6447a46dd1c 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json @@ -50,16 +50,16 @@ "process.name": "mssecsvc.exe", "process.pid": 6404, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -116,8 +116,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -171,8 +171,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -231,8 +231,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -304,8 +304,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -377,8 +377,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -433,8 +433,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -488,8 +488,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -544,16 +544,16 @@ "input.type": "log", "log.offset": 10645, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", "6894b3834bd541fa85df79e44568acac", - "8cf0ca99a8f5019d8583133b9a9379299c45470c" + "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "related.hosts": [ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -611,16 +611,16 @@ "input.type": "log", "log.offset": 12021, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", "6894b3834bd541fa85df79e44568acac", - "8cf0ca99a8f5019d8583133b9a9379299c45470c" + "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" ], "related.hosts": [ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -675,8 +675,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -730,8 +730,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -785,8 +785,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -840,8 +840,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -893,8 +893,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -952,8 +952,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1007,16 +1007,16 @@ "input.type": "log", "log.offset": 20509, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1074,8 +1074,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1133,8 +1133,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1188,8 +1188,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1241,8 +1241,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1304,8 +1304,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1367,8 +1367,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1422,8 +1422,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1477,8 +1477,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1532,8 +1532,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1591,8 +1591,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1650,8 +1650,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1705,16 +1705,16 @@ "input.type": "log", "log.offset": 35438, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "32c9e6737dbdcbfb7563a3f27e2b1571", + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "f5a171c879b90e77861daf19741b373646d791ff" ], "related.hosts": [ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1768,16 +1768,16 @@ "input.type": "log", "log.offset": 36775, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "2f99e3456dc1d26f77c52b2119fde92f", - "92673dd0e5f4a094fa6cd57bb301f884f2289f6c" + "92673dd0e5f4a094fa6cd57bb301f884f2289f6c", + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "related.hosts": [ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1847,38 +1847,38 @@ "wmiprvse.exe" ], "cisco.amp.bp_data.normalized.observables.file.path": [ - "c:\\windows\\system32\\windowspowershell\\v1.0", - "c:\\windows\\system32\\wbem" + "c:\\windows\\system32\\wbem", + "c:\\windows\\system32\\windowspowershell\\v1.0" ], "cisco.amp.bp_data.observables.file": [ { - "md5": "a575a7610e5f003cc36df39e07c4ba7d", - "name": "powershell.exe", - "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "md5": "d683c112190f4b4c6d477d693ee88e35", + "name": "WmiPrvSE.exe", + "path": "C:\\Windows\\System32\\wbem", "properties": { "copyright": "\u00a9 Microsoft Corporation. All rights reserved.", "file_version": "10.0.14409.1005", "product": "Microsoft\u00ae Windows\u00ae Operating System", "product_version": "10.0.14409.1005" }, - "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e", - "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218", - "size": 443392, + "sha1": "67858ead93feed62c0b1865369840e6e8086f53b", + "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334", + "size": 425984, "type_id": 1 }, { - "md5": "d683c112190f4b4c6d477d693ee88e35", - "name": "WmiPrvSE.exe", - "path": "C:\\Windows\\System32\\wbem", + "md5": "a575a7610e5f003cc36df39e07c4ba7d", + "name": "powershell.exe", + "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "properties": { "copyright": "\u00a9 Microsoft Corporation. All rights reserved.", "file_version": "10.0.14409.1005", "product": "Microsoft\u00ae Windows\u00ae Operating System", "product_version": "10.0.14409.1005" }, - "sha1": "67858ead93feed62c0b1865369840e6e8086f53b", - "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334", - "size": 425984, + "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e", + "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218", + "size": 443392, "type_id": 1 } ], @@ -1932,8 +1932,8 @@ "Demo_BP_WMIPRVSE" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1987,8 +1987,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2042,8 +2042,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2097,8 +2097,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2152,8 +2152,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2211,8 +2211,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2270,8 +2270,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2329,8 +2329,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2388,8 +2388,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2447,8 +2447,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2506,8 +2506,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2565,8 +2565,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2620,8 +2620,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2676,16 +2676,16 @@ "input.type": "log", "log.offset": 83114, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "32c9e6737dbdcbfb7563a3f27e2b1571", + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "f5a171c879b90e77861daf19741b373646d791ff" ], "related.hosts": [ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2745,8 +2745,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2804,16 +2804,16 @@ "input.type": "log", "log.offset": 85686, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "32c9e6737dbdcbfb7563a3f27e2b1571", + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "f5a171c879b90e77861daf19741b373646d791ff" ], "related.hosts": [ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2868,8 +2868,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2923,8 +2923,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2989,8 +2989,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3045,8 +3045,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3100,8 +3100,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3155,8 +3155,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3215,8 +3215,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3278,8 +3278,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3341,8 +3341,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3404,8 +3404,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3467,8 +3467,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3530,8 +3530,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3593,8 +3593,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3656,8 +3656,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3719,8 +3719,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json index a8bcab1df6e..12eef83ceff 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json @@ -45,8 +45,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -100,8 +100,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -155,8 +155,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -210,8 +210,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -265,8 +265,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -320,8 +320,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -380,8 +380,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -443,16 +443,16 @@ "process.name": "tasksche.exe", "process.pid": 1008, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -514,8 +514,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -577,8 +577,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -633,8 +633,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -686,8 +686,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -739,8 +739,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -799,8 +799,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -864,16 +864,16 @@ "process.name": "cmd.exe", "process.pid": 5748, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -935,16 +935,16 @@ "process.name": "tasksche.exe", "process.pid": 4772, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1012,8 +1012,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1085,8 +1085,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1143,8 +1143,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1198,8 +1198,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1251,8 +1251,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1310,8 +1310,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1369,8 +1369,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1424,16 +1424,16 @@ "input.type": "log", "log.offset": 29393, "related.hash": [ - "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", "6894b3834bd541fa85df79e44568acac", - "8cf0ca99a8f5019d8583133b9a9379299c45470c" + "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "related.hosts": [ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1491,8 +1491,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1544,8 +1544,8 @@ "Demo_Low_Prev_Retro" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1599,16 +1599,16 @@ "input.type": "log", "log.offset": 33628, "related.hash": [ - "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", "48a0bf05b9706a00d2a0ff6260412f11", - "5058b16a86beee96927371210b9a9f682976a50a" + "5058b16a86beee96927371210b9a9f682976a50a", + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" ], "related.hosts": [ "Demo_Low_Prev_Retro" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1666,8 +1666,8 @@ "Demo_Low_Prev_Retro" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1721,8 +1721,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1785,8 +1785,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1854,8 +1854,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1919,8 +1919,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1992,8 +1992,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2059,8 +2059,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2124,8 +2124,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2180,8 +2180,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2233,8 +2233,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2295,16 +2295,16 @@ "process.name": "mssecsvc.exe", "process.pid": 5580, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2360,8 +2360,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2404,8 +2404,8 @@ "Demo_Qakbot_3" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2459,8 +2459,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2519,8 +2519,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2582,8 +2582,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2640,8 +2640,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2695,8 +2695,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2750,8 +2750,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2805,8 +2805,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2860,8 +2860,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2920,16 +2920,16 @@ "process.name": "tasksche.exe", "process.pid": 4688, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2991,8 +2991,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -3047,8 +3047,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -3102,8 +3102,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json index 3e3f7423594..2f7f4f45797 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json @@ -45,8 +45,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -105,8 +105,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -168,8 +168,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -227,16 +227,16 @@ "input.type": "log", "log.offset": 3738, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -294,16 +294,16 @@ "input.type": "log", "log.offset": 5108, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -358,8 +358,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -413,8 +413,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -466,8 +466,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -522,16 +522,16 @@ "input.type": "log", "log.offset": 9881, "related.hash": [ - "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12", "a97fb86da4e010974860e5024137b56b", - "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12" + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" ], "related.hosts": [ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -592,8 +592,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -651,8 +651,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -710,8 +710,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -764,8 +764,8 @@ "Demo_Low_Prev_Retro" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -808,8 +808,8 @@ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -861,16 +861,16 @@ "input.type": "log", "log.offset": 17570, "related.hash": [ - "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", "48a0bf05b9706a00d2a0ff6260412f11", - "5058b16a86beee96927371210b9a9f682976a50a" + "5058b16a86beee96927371210b9a9f682976a50a", + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" ], "related.hosts": [ "Demo_Low_Prev_Retro" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -939,8 +939,8 @@ "Demo_Qakbot_2" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -995,8 +995,8 @@ "Demo_Qakbot_2" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1050,8 +1050,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1116,8 +1116,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1181,16 +1181,16 @@ "process.name": "mssecsvc.exe", "process.pid": 2980, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1245,8 +1245,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1289,8 +1289,8 @@ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1345,8 +1345,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1401,8 +1401,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1454,8 +1454,8 @@ "Demo_AMP_Exploit_Prevention_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1509,16 +1509,16 @@ "input.type": "log", "log.offset": 31671, "related.hash": [ - "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79", "5df0c4ebca109779dc8afc745d612637", - "bdb11107a33eaeded6a838eb2a0e6167637dbe9c" + "bdb11107a33eaeded6a838eb2a0e6167637dbe9c", + "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79" ], "related.hosts": [ "Demo_AMP_Exploit_Prevention_Audit" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1572,8 +1572,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1632,8 +1632,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1690,8 +1690,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1745,8 +1745,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1800,8 +1800,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1860,8 +1860,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -1916,8 +1916,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -1969,8 +1969,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2029,8 +2029,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2088,16 +2088,16 @@ "input.type": "log", "log.offset": 43815, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2152,8 +2152,8 @@ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2208,16 +2208,16 @@ "input.type": "log", "log.offset": 46299, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2275,16 +2275,16 @@ "input.type": "log", "log.offset": 47663, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2342,16 +2342,16 @@ "input.type": "log", "log.offset": 49034, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2415,16 +2415,16 @@ "process.name": "mssecsvc.exe", "process.pid": 3020, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "84c82835a5d21bbcf75a61706d8ab549", - "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2486,16 +2486,16 @@ "process.name": "services.exe", "process.pid": 480, "related.hash": [ - "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", "75a758a0c5cea48c9922d64a113d0f9d", + "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", "c78f4c22dd195a1791472a2c271a0c85b53900d9" ], "related.hosts": [ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "related.user": [ "user@testdomain.com" @@ -2556,8 +2556,8 @@ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2615,8 +2615,8 @@ "Demo_AMP_MAP_FriedEx" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2674,8 +2674,8 @@ "Demo_Command_Line_Arguments_Kovter" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2733,8 +2733,8 @@ "Demo_Command_Line_Arguments_Kovter" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2788,8 +2788,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ @@ -2841,8 +2841,8 @@ "Demo_Qakbot_1" ], "related.ip": [ - "8.8.8.8", - "10.10.10.10" + "10.10.10.10", + "8.8.8.8" ], "service.type": "cisco", "tags": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 7f641d9becd..ca13f9857fe 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -45,9 +45,9 @@ ], "related.ip": [ "10.10.10.10", - "8.8.8.8", "192.168.2.2", - "8.8.5.4" + "8.8.5.4", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -105,9 +105,9 @@ ], "related.ip": [ "10.10.10.10", - "8.8.8.8", "192.168.2.2", - "8.8.5.4" + "8.8.5.4", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -156,9 +156,9 @@ "dev01" ], "related.ip": [ + "10.10.10.10", "192.168.2.2", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -293,9 +293,9 @@ "dev01" ], "related.ip": [ + "10.10.10.10", "192.168.2.2", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -350,9 +350,9 @@ ], "related.ip": [ "10.10.10.10", - "8.8.8.8", "192.168.2.2", - "8.8.5.4" + "8.8.5.4", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -438,8 +438,8 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -457,8 +457,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -508,8 +508,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.192.18.4" + "10.192.18.4", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -630,8 +630,8 @@ ], "related.ip": [ "10.10.10.10", - "8.8.8.8", - "192.168.2.2" + "192.168.2.2", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -764,9 +764,9 @@ "dev01" ], "related.ip": [ + "10.10.10.10", "10.192.46.90", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.192.46.90", @@ -814,9 +814,9 @@ "dev01" ], "related.ip": [ + "10.10.10.10", "192.168.2.2", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -929,9 +929,9 @@ "dev01" ], "related.ip": [ + "10.10.10.10", "192.168.2.2", - "8.8.8.8", - "10.10.10.10" + "8.8.8.8" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -1016,8 +1016,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1115,8 +1115,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1135,8 +1135,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -1259,8 +1259,8 @@ ], "related.ip": [ "10.10.10.10", - "8.8.8.4", "192.168.2.2", + "8.8.8.4", "8.8.8.8" ], "service.type": "cisco", @@ -1319,8 +1319,8 @@ ], "related.ip": [ "10.10.10.10", - "8.8.8.4", "192.168.2.2", + "8.8.8.4", "8.8.8.8" ], "service.type": "cisco", @@ -1354,8 +1354,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1404,8 +1404,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1423,8 +1423,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -1453,8 +1453,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1473,8 +1473,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -1504,8 +1504,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1523,8 +1523,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -1554,8 +1554,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1573,8 +1573,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -1604,8 +1604,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1623,8 +1623,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -1770,8 +1770,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", - "192.1682.2.2" + "192.1682.2.2", + "dev01" ], "related.ip": [ "10.10.10.10" @@ -1994,8 +1994,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2014,8 +2014,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -2047,8 +2047,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2067,8 +2067,8 @@ "dev01" ], "related.ip": [ - "192.168.2.2", - "10.10.10.10" + "10.10.10.10", + "192.168.2.2" ], "service.type": "cisco", "source.address": "192.168.2.2", @@ -2166,8 +2166,8 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2284,8 +2284,8 @@ "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2376,8 +2376,8 @@ "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2474,8 +2474,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2521,8 +2521,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2568,8 +2568,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2615,8 +2615,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2741,8 +2741,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2804,8 +2804,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2851,8 +2851,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2864,8 +2864,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", - "console" + "console", + "dev01" ], "service.type": "cisco", "source.address": "console", @@ -2977,8 +2977,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3073,8 +3073,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3429,8 +3429,8 @@ "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3490,8 +3490,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3509,8 +3509,8 @@ "dev01" ], "related.ip": [ - "91.240.17.178", - "192.168.2.2" + "192.168.2.2", + "91.240.17.178" ], "service.type": "cisco", "source.address": "91.240.17.178", @@ -3562,8 +3562,8 @@ "dev01" ], "related.ip": [ - "91.240.17.138", - "192.168.2.2" + "192.168.2.2", + "91.240.17.138" ], "service.type": "cisco", "source.address": "91.240.17.138", @@ -3604,8 +3604,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3622,8 +3622,8 @@ "dev01" ], "related.ip": [ - "91.240.17.178", - "192.168.2.2" + "192.168.2.2", + "91.240.17.178" ], "service.type": "cisco", "source.address": "91.240.17.178", @@ -3682,8 +3682,8 @@ "dev01" ], "related.ip": [ - "91.240.17.178", - "192.168.2.2" + "192.168.2.2", + "91.240.17.178" ], "service.type": "cisco", "source.address": "91.240.17.178", @@ -3738,8 +3738,8 @@ "dev01" ], "related.ip": [ - "91.240.17.178", - "192.168.2.2" + "192.168.2.2", + "91.240.17.178" ], "related.user": [ "admin" @@ -3797,8 +3797,8 @@ "dev01" ], "related.ip": [ - "91.240.17.178", - "192.168.2.2" + "192.168.2.2", + "91.240.17.178" ], "related.user": [ "admin" @@ -3840,8 +3840,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3932,8 +3932,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "error", - "denied" + "denied", + "error" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3979,8 +3979,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "error", - "denied" + "denied", + "error" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -4050,8 +4050,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "error", - "denied" + "denied", + "error" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -4087,8 +4087,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "error", - "denied" + "denied", + "error" ], "fileset.name": "asa", "host.hostname": "dev01", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 4e637011f22..2e51f4519de 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -77,8 +77,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", @@ -128,8 +128,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -176,8 +176,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", @@ -224,8 +224,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", @@ -268,8 +268,8 @@ "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", @@ -322,8 +322,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -337,8 +337,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.255.0.206", - "10.12.31.51" + "10.12.31.51", + "10.255.0.206" ], "service.type": "cisco", "source.address": "10.255.0.206", @@ -370,8 +370,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -418,8 +418,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -467,8 +467,8 @@ "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -526,8 +526,8 @@ "event.severity": 1, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -541,8 +541,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.1.2.3", - "1.2.33.40" + "1.2.33.40", + "10.1.2.3" ], "related.user": [ "joe" diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 5ef9d2d302c..9018b8861d8 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -41,8 +41,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1192,8 +1192,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1486,8 +1486,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1600,8 +1600,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1954,8 +1954,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -2068,8 +2068,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -2362,8 +2362,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -2716,8 +2716,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3071,8 +3071,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3185,8 +3185,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3299,8 +3299,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3533,8 +3533,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3647,8 +3647,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3882,8 +3882,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -4056,8 +4056,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -4208,8 +4208,8 @@ "localhost" ], "related.ip": [ - "172.31.156.80", - "100.66.98.44" + "100.66.98.44", + "172.31.156.80" ], "service.type": "cisco", "source.address": "172.31.156.80", @@ -4672,8 +4672,8 @@ "localhost" ], "related.ip": [ - "172.31.156.80", - "100.66.98.44" + "100.66.98.44", + "172.31.156.80" ], "service.type": "cisco", "source.address": "172.31.156.80", @@ -4766,8 +4766,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4823,8 +4823,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4880,8 +4880,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4937,8 +4937,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4994,8 +4994,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5051,8 +5051,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5108,8 +5108,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5165,8 +5165,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5222,8 +5222,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5279,8 +5279,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5336,8 +5336,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5393,8 +5393,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5450,8 +5450,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -5527,8 +5527,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -5641,8 +5641,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index ef40c896297..0b0201c9b6c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -54,8 +54,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "beats", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index e03c1a5c403..adfb513bdb9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -32,9 +32,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ + "Prod-host.name.addr", "localhost", - "target.destination.hostname.local", - "Prod-host.name.addr" + "target.destination.hostname.local" ], "related.ip": [ "10.0.55.66" diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 8e79d12f022..7ed1241d229 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -21,8 +21,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -89,8 +89,8 @@ "localhost" ], "related.ip": [ - "192.168.132.46", - "172.24.177.29" + "172.24.177.29", + "192.168.132.46" ], "service.type": "cisco", "source.address": "192.168.132.46", @@ -129,8 +129,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -147,8 +147,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "localhost", - "example.org" + "example.org", + "localhost" ], "related.ip": [ "10.10.10.1", diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 7a8c5d42848..c5577eeae38 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -21,8 +21,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -71,8 +71,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -122,8 +122,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -172,8 +172,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "INT-FW01", @@ -227,8 +227,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "host.hostname": "INT-FW01", @@ -349,8 +349,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.43", - "10.123.3.42" + "10.123.3.42", + "192.0.2.43" ], "service.type": "cisco", "source.address": "192.0.2.43", @@ -450,9 +450,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ + "10.123.1.35", "192.0.2.222", - "192.0.2.43", - "10.123.1.35" + "192.0.2.43" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -554,9 +554,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.1", + "10.123.3.130", "10.123.3.42", - "10.123.3.130" + "192.0.2.1" ], "service.type": "cisco", "source.address": "192.0.2.1", @@ -608,8 +608,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.222", - "10.123.1.35" + "10.123.1.35", + "192.0.2.222" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -663,8 +663,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.222", - "10.123.1.35" + "10.123.1.35", + "192.0.2.222" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -712,8 +712,8 @@ "FJSG2NRFW01" ], "related.ip": [ - "192.168.132.46", - "172.24.177.29" + "172.24.177.29", + "192.168.132.46" ], "service.type": "cisco", "source.address": "192.168.132.46", @@ -758,8 +758,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.168.3.42", - "192.0.0.130" + "192.0.0.130", + "192.168.3.42" ], "service.type": "cisco", "source.address": "192.168.3.42", @@ -813,9 +813,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ + "10.0.0.130", "192.0.0.17", - "192.168.3.42", - "10.0.0.130" + "192.168.3.42" ], "service.type": "cisco", "source.address": "192.0.0.17", @@ -845,8 +845,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -861,8 +861,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.0.66", - "10.1.2.60" + "10.1.2.60", + "192.0.0.66" ], "service.type": "cisco", "source.address": "192.0.0.66", @@ -895,8 +895,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -945,8 +945,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -995,8 +995,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1045,8 +1045,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1095,8 +1095,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1145,8 +1145,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1195,8 +1195,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1245,8 +1245,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1295,8 +1295,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1345,8 +1345,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1393,8 +1393,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1409,8 +1409,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.66", - "10.1.2.42" + "10.1.2.42", + "192.0.2.66" ], "service.type": "cisco", "source.address": "192.0.2.66", @@ -1440,8 +1440,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1456,8 +1456,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.66", - "10.1.5.60" + "10.1.5.60", + "192.0.2.66" ], "service.type": "cisco", "source.address": "192.0.2.66", @@ -1490,8 +1490,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1540,8 +1540,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1590,8 +1590,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1640,8 +1640,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1690,8 +1690,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1740,8 +1740,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1756,8 +1756,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.126", - "10.0.0.132" + "10.0.0.132", + "192.0.2.126" ], "service.type": "cisco", "source.address": "192.0.2.126", @@ -1790,8 +1790,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1806,8 +1806,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.126", - "10.0.0.132" + "10.0.0.132", + "192.0.2.126" ], "service.type": "cisco", "source.address": "192.0.2.126", @@ -1840,8 +1840,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1890,8 +1890,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -1941,8 +1941,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -2011,8 +2011,8 @@ "observer.vendor": "Cisco", "process.name": "", "related.ip": [ - "192.168.77.12", - "10.0.13.13" + "10.0.13.13", + "192.168.77.12" ], "service.type": "cisco", "source.address": "192.168.77.12", @@ -2045,8 +2045,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -2062,8 +2062,8 @@ "observer.vendor": "Cisco", "process.name": "", "related.ip": [ - "192.168.1.33", - "192.0.0.12" + "192.0.0.12", + "192.168.1.33" ], "service.type": "cisco", "source.address": "192.168.1.33", @@ -2096,8 +2096,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -2113,8 +2113,8 @@ "observer.vendor": "Cisco", "process.name": "", "related.ip": [ - "192.168.1.33", - "192.0.0.12" + "192.0.0.12", + "192.168.1.33" ], "service.type": "cisco", "source.address": "192.168.1.33", @@ -2422,8 +2422,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -2470,8 +2470,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -2520,8 +2520,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -2537,8 +2537,8 @@ "observer.vendor": "Cisco", "process.name": "", "related.ip": [ - "192.168.1.34", - "192.0.0.12" + "192.0.0.12", + "192.168.1.34" ], "service.type": "cisco", "source.address": "192.168.1.34", @@ -2700,8 +2700,8 @@ "observer.vendor": "Cisco", "process.name": "", "related.ip": [ - "192.0.2.222", - "10.10.10.10" + "10.10.10.10", + "192.0.2.222" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -2753,8 +2753,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.44.4.4", - "10.44.2.2" + "10.44.2.2", + "10.44.4.4" ], "service.type": "cisco", "source.address": "10.44.4.4", @@ -2784,8 +2784,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -2832,8 +2832,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -2880,8 +2880,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -2928,8 +2928,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -2976,8 +2976,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -3024,8 +3024,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -3072,8 +3072,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -3120,8 +3120,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -3171,8 +3171,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -3192,8 +3192,8 @@ "GIFRCHN01" ], "related.ip": [ - "192.0.2.95", - "10.32.112.125" + "10.32.112.125", + "192.0.2.95" ], "service.type": "cisco", "source.address": "192.0.2.95", @@ -3223,8 +3223,8 @@ "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", @@ -3273,8 +3273,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -3288,8 +3288,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "172.16.30.2", - "172.16.1.10" + "172.16.1.10", + "172.16.30.2" ], "service.type": "cisco", "source.address": "172.16.30.2", @@ -3326,8 +3326,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -3446,8 +3446,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -3494,8 +3494,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -3537,8 +3537,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -3583,8 +3583,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "asa", "input.type": "log", @@ -3663,8 +3663,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.2.3.4", - "1.2.3.4" + "1.2.3.4", + "10.2.3.4" ], "related.user": [ "username" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 5211256b5f7..cd7c209441d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -79,8 +79,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", @@ -131,8 +131,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -180,8 +180,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", @@ -229,8 +229,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 9b6475f3329..4cb46a4477a 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -40,8 +40,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1172,8 +1172,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1461,8 +1461,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1573,8 +1573,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -1921,8 +1921,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -2033,8 +2033,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -2322,8 +2322,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -2670,8 +2670,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3019,8 +3019,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3131,8 +3131,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3243,8 +3243,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3473,8 +3473,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3585,8 +3585,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3816,8 +3816,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -3987,8 +3987,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -4136,8 +4136,8 @@ "localhost" ], "related.ip": [ - "172.31.156.80", - "100.66.98.44" + "100.66.98.44", + "172.31.156.80" ], "service.type": "cisco", "source.address": "172.31.156.80", @@ -4590,8 +4590,8 @@ "localhost" ], "related.ip": [ - "172.31.156.80", - "100.66.98.44" + "100.66.98.44", + "172.31.156.80" ], "service.type": "cisco", "source.address": "172.31.156.80", @@ -4683,8 +4683,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -4739,8 +4739,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -4795,8 +4795,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -4851,8 +4851,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -4907,8 +4907,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -4963,8 +4963,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5019,8 +5019,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5075,8 +5075,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5131,8 +5131,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5187,8 +5187,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5243,8 +5243,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5299,8 +5299,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5355,8 +5355,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -5430,8 +5430,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", @@ -5542,8 +5542,8 @@ "localhost" ], "related.ip": [ - "172.31.98.44", - "100.66.98.44" + "100.66.98.44", + "172.31.98.44" ], "service.type": "cisco", "source.address": "172.31.98.44", diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index ffc81a2f737..fee96281cd8 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -4,8 +4,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -64,9 +64,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -113,8 +113,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -175,9 +175,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -224,8 +224,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -284,9 +284,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -333,8 +333,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -395,9 +395,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -444,8 +444,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -505,9 +505,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -554,8 +554,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -614,9 +614,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -663,8 +663,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -726,9 +726,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -775,8 +775,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -835,9 +835,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -884,8 +884,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -945,9 +945,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -994,8 +994,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1056,9 +1056,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1105,8 +1105,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1168,9 +1168,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1217,8 +1217,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1273,9 +1273,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1322,8 +1322,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1383,9 +1383,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1432,8 +1432,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1492,9 +1492,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1541,8 +1541,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1602,9 +1602,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1651,8 +1651,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1713,9 +1713,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1762,8 +1762,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1822,9 +1822,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1871,8 +1871,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -1931,9 +1931,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -1980,8 +1980,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -2040,9 +2040,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -2089,8 +2089,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -2147,9 +2147,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -2196,8 +2196,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -2258,9 +2258,9 @@ "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index f8745332a6f..699f5430063 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -4,8 +4,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430001", "cisco.ftd.rule_name": [ - "intrusion-policy", - "default" + "default", + "intrusion-policy" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.application_protocol": "HTTP", @@ -91,8 +91,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430001", "cisco.ftd.rule_name": [ - "intrusion-policy", - "default" + "default", + "intrusion-policy" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.application_protocol": "HTTP", @@ -178,8 +178,8 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "430001", "cisco.ftd.rule_name": [ - "intrusion-policy", - "default" + "default", + "intrusion-policy" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.classification": "Misc Activity", @@ -238,8 +238,8 @@ "firepower" ], "related.ip": [ - "10.0.100.30", - "10.0.1.20" + "10.0.1.20", + "10.0.100.30" ], "related.user": [ "No Authentication Required" @@ -261,8 +261,8 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "430001", "cisco.ftd.rule_name": [ - "intrusion-policy", - "default" + "default", + "intrusion-policy" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.classification": "Misc Activity", @@ -321,8 +321,8 @@ "firepower" ], "related.ip": [ - "10.0.100.30", - "10.0.1.20" + "10.0.1.20", + "10.0.100.30" ], "related.user": [ "No Authentication Required" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index b204f179fa3..500a6538886 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -142,8 +142,8 @@ "cisco.ftd.security.dst_port": "64311", "cisco.ftd.security.http_response": "404", "cisco.ftd.security.message": [ - "This one has a type id", - "And two messages" + "And two messages", + "This one has a type id" ], "cisco.ftd.security.src_ip": "127.0.0.1", "cisco.ftd.security.src_port": "512", @@ -171,8 +171,8 @@ "log.level": "error", "log.offset": 377, "message": [ - "This one has a type id", - "And two messages" + "And two messages", + "This one has a type id" ], "observer.hostname": "beats", "observer.product": "ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 3f384531b33..ad6291a1ab5 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -21,8 +21,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -87,8 +87,8 @@ "localhost" ], "related.ip": [ - "192.168.132.46", - "172.24.177.29" + "172.24.177.29", + "192.168.132.46" ], "service.type": "cisco", "source.address": "192.168.132.46", @@ -127,8 +127,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", @@ -144,8 +144,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "localhost", - "example.org" + "example.org", + "localhost" ], "related.ip": [ "10.10.10.1", diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index a287b33f252..d98b22e1bb4 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -21,8 +21,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -70,8 +70,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -120,8 +120,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -169,8 +169,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "INT-FW01", @@ -223,8 +223,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "host.hostname": "INT-FW01", @@ -342,8 +342,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.43", - "10.123.3.42" + "10.123.3.42", + "192.0.2.43" ], "service.type": "cisco", "source.address": "192.0.2.43", @@ -441,9 +441,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ + "10.123.1.35", "192.0.2.222", - "192.0.2.43", - "10.123.1.35" + "192.0.2.43" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -543,9 +543,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.1", + "10.123.3.130", "10.123.3.42", - "10.123.3.130" + "192.0.2.1" ], "service.type": "cisco", "source.address": "192.0.2.1", @@ -596,8 +596,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.222", - "10.123.1.35" + "10.123.1.35", + "192.0.2.222" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -650,8 +650,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.222", - "10.123.1.35" + "10.123.1.35", + "192.0.2.222" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -698,8 +698,8 @@ "FJSG2NRFW01" ], "related.ip": [ - "192.168.132.46", - "172.24.177.29" + "172.24.177.29", + "192.168.132.46" ], "service.type": "cisco", "source.address": "192.168.132.46", @@ -743,8 +743,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.168.3.42", - "192.0.0.130" + "192.0.0.130", + "192.168.3.42" ], "service.type": "cisco", "source.address": "192.168.3.42", @@ -797,9 +797,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ + "10.0.0.130", "192.0.0.17", - "192.168.3.42", - "10.0.0.130" + "192.168.3.42" ], "service.type": "cisco", "source.address": "192.0.0.17", @@ -829,8 +829,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -844,8 +844,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.0.66", - "10.1.2.60" + "10.1.2.60", + "192.0.0.66" ], "service.type": "cisco", "source.address": "192.0.0.66", @@ -878,8 +878,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -927,8 +927,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -976,8 +976,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1025,8 +1025,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1074,8 +1074,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1123,8 +1123,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1172,8 +1172,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1221,8 +1221,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1270,8 +1270,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1319,8 +1319,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1366,8 +1366,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1381,8 +1381,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.66", - "10.1.2.42" + "10.1.2.42", + "192.0.2.66" ], "service.type": "cisco", "source.address": "192.0.2.66", @@ -1412,8 +1412,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1427,8 +1427,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.66", - "10.1.5.60" + "10.1.5.60", + "192.0.2.66" ], "service.type": "cisco", "source.address": "192.0.2.66", @@ -1461,8 +1461,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1510,8 +1510,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1559,8 +1559,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1608,8 +1608,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1657,8 +1657,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1706,8 +1706,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1721,8 +1721,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.126", - "10.0.0.132" + "10.0.0.132", + "192.0.2.126" ], "service.type": "cisco", "source.address": "192.0.2.126", @@ -1755,8 +1755,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1770,8 +1770,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "192.0.2.126", - "10.0.0.132" + "10.0.0.132", + "192.0.2.126" ], "service.type": "cisco", "source.address": "192.0.2.126", @@ -1804,8 +1804,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1853,8 +1853,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1903,8 +1903,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -1975,8 +1975,8 @@ "127.0.0.1" ], "related.ip": [ - "192.168.77.12", - "10.0.13.13" + "10.0.13.13", + "192.168.77.12" ], "service.type": "cisco", "source.address": "192.168.77.12", @@ -2009,8 +2009,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", @@ -2029,8 +2029,8 @@ "127.0.0.1" ], "related.ip": [ - "192.168.1.33", - "192.0.0.12" + "192.0.0.12", + "192.168.1.33" ], "service.type": "cisco", "source.address": "192.168.1.33", @@ -2063,8 +2063,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", @@ -2083,8 +2083,8 @@ "127.0.0.1" ], "related.ip": [ - "192.168.1.33", - "192.0.0.12" + "192.0.0.12", + "192.168.1.33" ], "service.type": "cisco", "source.address": "192.168.1.33", @@ -2403,8 +2403,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", @@ -2454,8 +2454,8 @@ "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", @@ -2507,8 +2507,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", @@ -2527,8 +2527,8 @@ "127.0.0.1" ], "related.ip": [ - "192.168.1.34", - "192.0.0.12" + "192.0.0.12", + "192.168.1.34" ], "service.type": "cisco", "source.address": "192.168.1.34", @@ -2699,8 +2699,8 @@ "127.0.0.1" ], "related.ip": [ - "192.0.2.222", - "10.10.10.10" + "10.10.10.10", + "192.0.2.222" ], "service.type": "cisco", "source.address": "192.0.2.222", @@ -2751,8 +2751,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.44.4.4", - "10.44.2.2" + "10.44.2.2", + "10.44.4.4" ], "service.type": "cisco", "source.address": "10.44.4.4", @@ -2782,8 +2782,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -2829,8 +2829,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -2876,8 +2876,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -2923,8 +2923,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -2970,8 +2970,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -3017,8 +3017,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -3064,8 +3064,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -3111,8 +3111,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -3161,8 +3161,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -3181,8 +3181,8 @@ "GIFRCHN01" ], "related.ip": [ - "192.0.2.95", - "10.32.112.125" + "10.32.112.125", + "192.0.2.95" ], "service.type": "cisco", "source.address": "192.0.2.95", @@ -3212,8 +3212,8 @@ "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", @@ -3261,8 +3261,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -3275,8 +3275,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "172.16.30.2", - "172.16.1.10" + "172.16.1.10", + "172.16.30.2" ], "service.type": "cisco", "source.address": "172.16.30.2", @@ -3313,8 +3313,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -3434,8 +3434,8 @@ "event.severity": 4, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -3481,8 +3481,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -3523,8 +3523,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "ftd", "input.type": "log", @@ -3568,8 +3568,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "ftd", "input.type": "log", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index f65ccf20d71..4024ac087a0 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -4,8 +4,8 @@ "cisco.ftd.destination_interface": "input", "cisco.ftd.message_id": "430002", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -46,9 +46,9 @@ "event.severity": 1, "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "start", - "allowed" + "start" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -71,8 +71,8 @@ "firepower" ], "related.ip": [ - "10.0.100.30", - "10.0.1.20" + "10.0.1.20", + "10.0.100.30" ], "related.user": [ "No Authentication Required" @@ -94,8 +94,8 @@ "cisco.ftd.destination_interface": "input", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -140,9 +140,9 @@ "event.start": "2019-08-15T16:05:33.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -165,8 +165,8 @@ "firepower" ], "related.ip": [ - "10.0.100.30", - "10.0.1.20" + "10.0.1.20", + "10.0.100.30" ], "related.user": [ "No Authentication Required" @@ -188,8 +188,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430002", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -243,9 +243,9 @@ "event.severity": 1, "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "start", - "allowed" + "start" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -292,8 +292,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -353,9 +353,9 @@ "event.start": "2019-08-15T16:07:00.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -402,8 +402,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430002", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -453,9 +453,9 @@ "event.severity": 1, "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "start", - "allowed" + "start" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -500,8 +500,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -563,9 +563,9 @@ "event.start": "2019-08-15T16:07:18.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -622,8 +622,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430002", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -673,9 +673,9 @@ "event.severity": 1, "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "start", - "allowed" + "start" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -720,8 +720,8 @@ "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Rule-1" + "Rule-1", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Allow", @@ -782,9 +782,9 @@ "event.start": "2019-08-16T09:33:15.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -838,8 +838,8 @@ "cisco.ftd.destination_interface": "input", "cisco.ftd.message_id": "430002", "cisco.ftd.rule_name": [ - "default", - "Block-inbound-ICMP" + "Block-inbound-ICMP", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Block", @@ -879,8 +879,8 @@ "event.timezone": "-02:00", "event.type": [ "connection", - "start", - "failure" + "failure", + "start" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -901,8 +901,8 @@ "firepower" ], "related.ip": [ - "10.0.100.30", - "10.0.1.20" + "10.0.1.20", + "10.0.100.30" ], "related.user": [ "No Authentication Required" @@ -924,8 +924,8 @@ "cisco.ftd.destination_interface": "output", "cisco.ftd.message_id": "430003", "cisco.ftd.rule_name": [ - "default", - "Intrusion-Rule" + "Intrusion-Rule", + "default" ], "cisco.ftd.security.ac_policy": "default", "cisco.ftd.security.access_control_rule_action": "Block", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index e98e7fc90cd..8469b5b1b22 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -66,9 +66,9 @@ "event.start": "2020-03-01T01:02:16.000Z", "event.timezone": "-02:00", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "ftd", "host.hostname": "CISCO-SENSOR-3D", @@ -93,8 +93,8 @@ "CISCO-SENSOR-3D" ], "related.ip": [ - "3.3.3.3", - "2.2.2.2" + "2.2.2.2", + "3.3.3.3" ], "related.user": [ "No Authentication Required" diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 5841793ceb8..dc61cee0f01 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -169,8 +169,8 @@ "network.transport": "tcp", "network.type": "ipv6", "related.ip": [ - "2001:DB8::3", - "2001:DB8:1000::1" + "2001:DB8:1000::1", + "2001:DB8::3" ], "service.type": "cisco", "source.address": "2001:DB8::3", @@ -364,8 +364,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.12", - "172.217.10.46" + "172.217.10.46", + "198.51.100.12" ], "service.type": "cisco", "source.address": "198.51.100.12", @@ -862,8 +862,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.12", - "172.217.10.46" + "172.217.10.46", + "198.51.100.12" ], "service.type": "cisco", "source.address": "198.51.100.12", @@ -1057,8 +1057,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.12", - "172.217.10.46" + "172.217.10.46", + "198.51.100.12" ], "service.type": "cisco", "source.address": "198.51.100.12", @@ -1205,8 +1205,8 @@ "network.transport": "udp", "network.type": "ipv4", "related.ip": [ - "8.8.8.8", - "198.51.100.195" + "198.51.100.195", + "8.8.8.8" ], "service.type": "cisco", "source.address": "8.8.8.8", @@ -1281,8 +1281,8 @@ "network.transport": "icmp", "network.type": "ipv4", "related.ip": [ - "198.51.100.12", - "198.51.100.1" + "198.51.100.1", + "198.51.100.12" ], "service.type": "cisco", "source.address": "198.51.100.12", @@ -1334,8 +1334,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.12", - "172.217.10.46" + "172.217.10.46", + "198.51.100.12" ], "service.type": "cisco", "source.address": "198.51.100.12", @@ -1576,8 +1576,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.12", - "172.217.10.46" + "172.217.10.46", + "198.51.100.12" ], "service.type": "cisco", "source.address": "198.51.100.12", diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index 399ed4706eb..cb59c443879 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.124.51", - "10.15.44.253" + "10.15.44.253", + "10.193.124.51" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -137,8 +137,8 @@ "appliance" ], "related.ip": [ - "10.155.236.240", - "10.112.46.169" + "10.112.46.169", + "10.155.236.240" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -416,8 +416,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.74.237.180", - "10.163.72.17" + "10.163.72.17", + "10.74.237.180" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -587,8 +587,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.88.231.224", - "10.187.77.245" + "10.187.77.245", + "10.88.231.224" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -734,8 +734,8 @@ "appliance" ], "related.ip": [ - "10.63.194.87", - "10.182.178.217" + "10.182.178.217", + "10.63.194.87" ], "rsa.counters.dclass_r1": "fdeFi", "rsa.internal.messageid": "events", @@ -1029,8 +1029,8 @@ "appliance" ], "related.ip": [ - "10.66.89.5", - "10.247.30.212" + "10.247.30.212", + "10.66.89.5" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1133,8 +1133,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1402,8 +1402,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.242.77.170", - "10.150.245.88" + "10.150.245.88", + "10.242.77.170" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1439,8 +1439,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.139.239", - "10.180.195.43" + "10.180.195.43", + "10.247.139.239" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1979,8 +1979,8 @@ "appliance" ], "related.ip": [ - "10.83.131.245", - "10.39.172.93" + "10.39.172.93", + "10.83.131.245" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -2018,8 +2018,8 @@ "appliance" ], "related.ip": [ - "10.86.188.179", - "10.201.168.116" + "10.201.168.116", + "10.86.188.179" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2056,8 +2056,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.148.211.222", - "10.122.204.151" + "10.122.204.151", + "10.148.211.222" ], "rsa.internal.event_desc": "umexercisecurity_event duntut", "rsa.internal.messageid": "security_event", @@ -2135,8 +2135,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.97.46.16", - "10.120.4.9" + "10.120.4.9", + "10.97.46.16" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2171,8 +2171,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.171.206.139", - "10.165.173.162" + "10.165.173.162", + "10.171.206.139" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2209,8 +2209,8 @@ "uames4985.mail.localdomain" ], "related.ip": [ - "10.150.163.151", - "10.144.57.239" + "10.144.57.239", + "10.150.163.151" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2383,8 +2383,8 @@ "appliance" ], "related.ip": [ - "10.2.110.73", - "10.103.49.129" + "10.103.49.129", + "10.2.110.73" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2432,8 +2432,8 @@ "appliance" ], "related.ip": [ - "10.158.61.228", - "10.132.176.96" + "10.132.176.96", + "10.158.61.228" ], "rsa.counters.dclass_r1": "eserun", "rsa.internal.messageid": "events", @@ -2480,8 +2480,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.46.217.155", - "10.105.136.146" + "10.105.136.146", + "10.46.217.155" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2524,8 +2524,8 @@ "appliance" ], "related.ip": [ - "10.245.199.23", - "10.123.62.215" + "10.123.62.215", + "10.245.199.23" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2755,8 +2755,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.244.32.189", - "10.121.9.5" + "10.121.9.5", + "10.244.32.189" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3165,8 +3165,8 @@ "appliance" ], "related.ip": [ - "10.121.37.244", - "10.113.152.241" + "10.113.152.241", + "10.121.37.244" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -3207,8 +3207,8 @@ "appliance" ], "related.ip": [ - "10.254.96.130", - "10.247.118.132" + "10.247.118.132", + "10.254.96.130" ], "rsa.counters.dclass_r1": "ectet", "rsa.internal.messageid": "events", @@ -3256,8 +3256,8 @@ "appliance" ], "related.ip": [ - "10.200.98.243", - "10.101.13.122" + "10.101.13.122", + "10.200.98.243" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", @@ -3407,8 +3407,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.162.202.14", - "10.137.166.97" + "10.137.166.97", + "10.162.202.14" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log-expected.json index 6cedb19cced..ae62751926b 100644 --- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log-expected.json +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-cloudfirewalllogs.log-expected.json @@ -23,8 +23,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "172.17.3.4", - "146.112.255.129" + "146.112.255.129", + "172.17.3.4" ], "related.user": [ "Passive Monitor" @@ -60,8 +60,8 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "172.17.3.4", - "146.112.255.129" + "146.112.255.129", + "172.17.3.4" ], "related.user": [ "Passive Monitor" diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json index 81b1478da27..14855cd03bd 100644 --- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json @@ -30,8 +30,8 @@ "observer.type": "dns", "observer.vendor": "Cisco", "related.hosts": [ - "some other identity", - "NOERROR" + "NOERROR", + "some other identity" ], "related.ip": [ "192.168.1.1" @@ -75,8 +75,8 @@ "observer.type": "dns", "observer.vendor": "Cisco", "related.hosts": [ - "some other identity", - "NOERROR" + "NOERROR", + "some other identity" ], "related.ip": [ "192.168.1.1" diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json index 4f0b9552eb4..8a38e04731e 100644 --- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json +++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json @@ -26,8 +26,8 @@ "observer.type": "proxy", "observer.vendor": "Cisco", "related.ip": [ - "192.168.1.1", "1.1.1.1", + "192.168.1.1", "8.8.8.8" ], "service.type": "cisco", @@ -67,8 +67,8 @@ "observer.type": "proxy", "observer.vendor": "Cisco", "related.ip": [ - "192.168.1.1", "1.1.1.1", + "192.168.1.1", "8.8.8.8" ], "service.type": "cisco", @@ -108,8 +108,8 @@ "ActiveDirectoryUserName,ADSite,Network" ], "related.ip": [ - "192.192.192.135", - "1.1.1.91" + "1.1.1.91", + "192.192.192.135" ], "service.type": "cisco", "source.address": "ActiveDirectoryUserName,ADSite,Network", diff --git a/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json b/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json index 23515a993ce..000c31f591e 100644 --- a/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json +++ b/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json @@ -10,14 +10,14 @@ "coredns.response.code": "NXDOMAIN", "coredns.response.flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "coredns.response.size": 136, "dns.header_flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "dns.id": "21583", "dns.question.class": "IN", @@ -73,14 +73,14 @@ "coredns.response.code": "NOERROR", "coredns.response.flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "coredns.response.size": 83, "dns.header_flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "dns.id": "6966", "dns.question.class": "IN", @@ -136,14 +136,14 @@ "coredns.response.code": "NOERROR", "coredns.response.flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "coredns.response.size": 100, "dns.header_flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "dns.id": "62762", "dns.question.class": "IN", diff --git a/x-pack/filebeat/module/coredns/log/test/coredns.log-expected.json b/x-pack/filebeat/module/coredns/log/test/coredns.log-expected.json index 2d573602c17..5a8a6878003 100644 --- a/x-pack/filebeat/module/coredns/log/test/coredns.log-expected.json +++ b/x-pack/filebeat/module/coredns/log/test/coredns.log-expected.json @@ -10,14 +10,14 @@ "coredns.response.code": "NXDOMAIN", "coredns.response.flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "coredns.response.size": 136, "dns.header_flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "dns.id": "21583", "dns.question.class": "IN", @@ -64,14 +64,14 @@ "coredns.response.code": "NOERROR", "coredns.response.flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "coredns.response.size": 188, "dns.header_flags": [ "QR", - "RD", - "RA" + "RA", + "RD" ], "dns.id": "14639", "dns.question.class": "IN", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index 690cb98ed09..49856354eb7 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -20,8 +20,8 @@ "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "start", - "session" + "session", + "start" ], "fileset.name": "falcon", "host.name": "hostnameofmachine", @@ -92,24 +92,24 @@ { "crowdstrike.event.AuditKeyValues": [ { - "Key": "APIClientID", - "ValueString": "1234567890abcdefghijklmnopqr" + "Key": "offset", + "ValueString": "-1" }, { "Key": "partition", "ValueString": "0" }, { - "Key": "offset", - "ValueString": "-1" - }, - { - "Key": "appId", - "ValueString": "siem-connector-v2.0.0" + "Key": "APIClientID", + "ValueString": "1234567890abcdefghijklmnopqr" }, { "Key": "eventType", "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" + }, + { + "Key": "appId", + "ValueString": "siem-connector-v2.0.0" } ], "crowdstrike.event.OperationName": "streamStarted", @@ -573,14 +573,6 @@ }, { "crowdstrike.event.AuditKeyValues": [ - { - "Key": "detection_id", - "ValueString": "ldt:5a6fd0b7347440cd74cb84855a8aee18:17180539745" - }, - { - "Key": "new_state", - "ValueString": "in_progress" - }, { "Key": "assigned_to", "ValueString": "First Last" @@ -588,6 +580,14 @@ { "Key": "assigned_to_uid", "ValueString": "first.last@company.com" + }, + { + "Key": "new_state", + "ValueString": "in_progress" + }, + { + "Key": "detection_id", + "ValueString": "ldt:5a6fd0b7347440cd74cb84855a8aee18:17180539745" } ], "crowdstrike.event.OperationName": "detection_update", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index b49e03fd863..4aaf36a8484 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -45,8 +45,8 @@ "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "start", - "connection" + "connection", + "start" ], "fileset.name": "falcon", "host.name": "TESTDEVICE01", @@ -63,8 +63,8 @@ "TESTDEVICE01" ], "related.ip": [ - "10.37.60.21", - "10.37.60.194" + "10.37.60.194", + "10.37.60.21" ], "rule.category": "fec73e96a1bf4481be582c3f89b234fa", "rule.description": "", @@ -116,14 +116,6 @@ }, { "crowdstrike.event.AuditKeyValues": [ - { - "Key": "trace_id", - "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" - }, - { - "Key": "actor_user", - "ValueString": "first.last@company.com" - }, { "Key": "actor_user_uuid", "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" @@ -132,6 +124,14 @@ "Key": "actor_cid", "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" }, + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, { "Key": "target_user", "ValueString": "first.last@company.com" @@ -248,8 +248,8 @@ "event.module": "crowdstrike", "event.outcome": "unknown", "event.type": [ - "start", - "session" + "session", + "start" ], "fileset.name": "falcon", "host.name": "TESTDEVICE01", @@ -274,13 +274,13 @@ }, { "crowdstrike.event.Commands": [ + "cd \\Program Files (x86)", "cd \\Program Files (x86)\\Symantec", "ls .", - "cd \\Program Files (x86)", "ls .", "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", - "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", "restart", "restart -Confirm" ], @@ -336,22 +336,22 @@ "crowdstrike.event.DetectName": "NGAV", "crowdstrike.event.ExecutablesWritten": [ { - "FileName": "NEURO_200_J1939Configuration.mexw64", + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", "Timestamp": 1595002290 }, { - "FileName": "NEURO_200_J1939Configuration.mexw64", + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", "Timestamp": 1595002290 }, { - "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FileName": "NEURO_200_J1939Configuration.mexw64", "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", "Timestamp": 1595002290 }, { - "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FileName": "NEURO_200_J1939Configuration.mexw64", "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", "Timestamp": 1595002290 } diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index d04fc32870f..f1a3179c820 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -73,8 +73,8 @@ ], "related.user": [ "dolore", - "orev", - "nnumqu" + "nnumqu", + "orev" ], "rsa.db.database": "umdo", "rsa.db.index": "vol", @@ -139,9 +139,9 @@ "10.46.185.46" ], "related.user": [ - "serror", "incid", - "nse" + "nse", + "serror" ], "rsa.db.database": "byC", "rsa.db.index": "tur", @@ -198,8 +198,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.6713", "related.hosts": [ - "uam6303.api.lan", - "llu4762.mail.localdomain" + "llu4762.mail.localdomain", + "uam6303.api.lan" ], "related.ip": [ "10.155.236.240", @@ -265,9 +265,15 @@ "10.81.199.122" ], "related.user": [ +<<<<<<< HEAD "oremips", "giatq", "eos" +======= + "eos", + "giatq", + "oremips" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -309,8 +315,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.3491", "related.hosts": [ - "temq1198.internal.example", - "aquaeab2275.www5.domain" + "aquaeab2275.www5.domain", + "temq1198.internal.example" ], "related.ip": [ "10.139.186.201", @@ -319,6 +325,10 @@ "related.user": [ "tcupida", "aboris", +<<<<<<< HEAD +======= + "tcupida", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "uam" ], "rsa.db.database": "isiu", @@ -376,16 +386,20 @@ "observer.vendor": "Cyberark", "observer.version": "1.6875", "related.hosts": [ - "tenbyCic5882.api.home", - "amquisno3338.www5.lan" + "amquisno3338.www5.lan", + "tenbyCic5882.api.home" ], "related.ip": [ - "10.47.76.251", - "10.104.111.129" + "10.104.111.129", + "10.47.76.251" ], "related.user": [ + "ele", "etconsec", +<<<<<<< HEAD "ele", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "ipis" ], "rsa.db.database": "riat", @@ -443,9 +457,15 @@ "10.116.120.216" ], "related.user": [ +<<<<<<< HEAD "umdo", "animi", "quiratio" +======= + "animi", + "quiratio", + "umdo" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "oll", "rsa.internal.event_desc": "rumet", @@ -495,9 +515,9 @@ "10.62.54.220" ], "related.user": [ - "taevi", "psum", - "rnatura" + "rnatura", + "taevi" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -597,8 +617,13 @@ "10.18.165.35" ], "related.user": [ +<<<<<<< HEAD "modocons", "lor", +======= + "lor", + "modocons", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "remeum" ], "rsa.db.index": "etM", @@ -643,6 +668,10 @@ "related.user": [ "onproide", "icab", +<<<<<<< HEAD +======= + "onproide", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "tema" ], "rsa.db.index": "mqui", @@ -684,8 +713,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.1697", "related.hosts": [ - "tlabo6088.www.localdomain", - "Lor5841.internal.example" + "Lor5841.internal.example", + "tlabo6088.www.localdomain" ], "related.ip": [ "10.92.8.15", @@ -749,9 +778,15 @@ "10.21.78.128" ], "related.user": [ +<<<<<<< HEAD "taut", "upt", "giatquov" +======= + "giatquov", + "taut", + "upt" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "iadese", "rsa.internal.event_desc": "deFinibu", @@ -793,9 +828,15 @@ "10.18.109.121" ], "related.user": [ +<<<<<<< HEAD "pida", "tatn", "hil" +======= + "hil", + "pida", + "tatn" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "quip", "rsa.internal.event_desc": "ecillu", @@ -837,17 +878,23 @@ "observer.vendor": "Cyberark", "observer.version": "1.3727", "related.hosts": [ - "rpo79.mail.example", - "iavolu5352.localhost" + "iavolu5352.localhost", + "rpo79.mail.example" ], "related.ip": [ "10.225.115.13", "10.63.37.192" ], "related.user": [ +<<<<<<< HEAD "reetd", "iunt", "equep" +======= + "equep", + "iunt", + "reetd" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "aliqu", "rsa.db.index": "mipsumd", @@ -911,9 +958,15 @@ "10.95.64.124" ], "related.user": [ +<<<<<<< HEAD "ntor", "run", "ice" +======= + "ice", + "ntor", + "run" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "ite", "rsa.db.index": "iquipex", @@ -1034,8 +1087,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.821", "related.hosts": [ - "quatD4191.local", - "etMalor4236.www5.host" + "etMalor4236.www5.host", + "quatD4191.local" ], "related.ip": [ "10.125.160.129", @@ -1110,8 +1163,13 @@ ], "related.user": [ "iduntu", +<<<<<<< HEAD "tasuntex", "liqui" +======= + "liqui", + "tasuntex" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1171,9 +1229,15 @@ "process.name": "laboree.exe", "process.pid": 6501, "related.hosts": [ +<<<<<<< HEAD "nsecte3304.mail.corp", "xeacomm6855.api.corp", "eroi176.example" +======= + "eroi176.example", + "nsecte3304.mail.corp", + "xeacomm6855.api.corp" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.167.85.181", @@ -1292,8 +1356,8 @@ ], "related.user": [ "luptatev", - "uteirure", - "tDuisaut" + "tDuisaut", + "uteirure" ], "rsa.db.database": "uamest", "rsa.db.index": "uae", @@ -1421,8 +1485,8 @@ "illoin2914.mail.lan" ], "related.ip": [ - "10.213.144.249", - "10.192.34.76" + "10.192.34.76", + "10.213.144.249" ], "related.user": [ "iquipe", @@ -1486,8 +1550,8 @@ "evit5780.www.corp" ], "related.ip": [ - "10.216.84.30", - "10.154.4.197" + "10.154.4.197", + "10.216.84.30" ], "related.user": [ "intoc", @@ -1547,9 +1611,9 @@ "10.143.193.199" ], "related.user": [ - "tqu", "niamqui", - "quid" + "quid", + "tqu" ], "rsa.db.index": "inci", "rsa.internal.event_desc": "eroinBCS", @@ -1600,8 +1664,13 @@ ], "related.user": [ "essequam", +<<<<<<< HEAD "umqu", "ritatise" +======= + "ritatise", + "umqu" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "ender", "rsa.db.index": "entorev", @@ -1702,9 +1771,15 @@ "10.107.9.163" ], "related.user": [ +<<<<<<< HEAD "sit", "mac", "mquisno" +======= + "mac", + "mquisno", + "sit" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "sit", "rsa.internal.event_desc": "tdol", @@ -1790,17 +1865,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.267", "related.hosts": [ - "utlab3706.api.host", - "miurerep1152.internal.domain" + "miurerep1152.internal.domain", + "utlab3706.api.host" ], "related.ip": [ - "10.39.10.155", - "10.235.136.109" + "10.235.136.109", + "10.39.10.155" ], "related.user": [ + "aboreetd", "ptass", - "urExcept", - "aboreetd" + "urExcept" ], "rsa.db.database": "teirured", "rsa.db.index": "dolorem", @@ -1857,9 +1932,15 @@ "10.96.224.19" ], "related.user": [ +<<<<<<< HEAD "ibusBon", "itation", "doloreme" +======= + "doloreme", + "ibusBon", + "itation" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "oremipsu", "rsa.internal.event_desc": "umexerc", @@ -1901,9 +1982,15 @@ "10.71.238.250" ], "related.user": [ +<<<<<<< HEAD "reseo", "aec", "moenimi" +======= + "aec", + "moenimi", + "reseo" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1945,12 +2032,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.3804", "related.hosts": [ - "rum5798.home", - "mvel1188.internal.localdomain" + "mvel1188.internal.localdomain", + "rum5798.home" ], "related.ip": [ - "10.226.20.199", - "10.226.101.180" + "10.226.101.180", + "10.226.20.199" ], "related.user": [ "rationev", @@ -2016,13 +2103,13 @@ "nisiut3624.api.example" ], "related.ip": [ - "10.86.22.67", - "10.134.65.15" + "10.134.65.15", + "10.86.22.67" ], "related.user": [ - "utaliqu", + "cab", "quaUten", - "cab" + "utaliqu" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -2082,9 +2169,15 @@ "10.70.147.120" ], "related.user": [ +<<<<<<< HEAD "emqu", "tten", "cidunt" +======= + "cidunt", + "emqu", + "tten" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "eaqu", "rsa.internal.event_desc": "quidol", @@ -2126,17 +2219,22 @@ "observer.vendor": "Cyberark", "observer.version": "1.6255", "related.hosts": [ - "tesse1089.www.host", - "ptateve6909.www5.lan" + "ptateve6909.www5.lan", + "tesse1089.www.host" ], "related.ip": [ - "10.24.111.229", - "10.178.242.100" + "10.178.242.100", + "10.24.111.229" ], "related.user": [ "dqu", +<<<<<<< HEAD "loi", "idid" +======= + "idid", + "loi" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "tenatuse", "rsa.db.index": "ullamcor", @@ -2193,9 +2291,15 @@ "10.211.179.168" ], "related.user": [ +<<<<<<< HEAD "ritati", "untincul", "mmodoc" +======= + "mmodoc", + "ritati", + "untincul" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "emvele", "rsa.internal.event_desc": "oluptas", @@ -2237,9 +2341,15 @@ "10.30.243.163" ], "related.user": [ +<<<<<<< HEAD "mven", "dolore", "illu" +======= + "dolore", + "illu", + "mven" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "idol", "rsa.internal.event_desc": "lore", @@ -2285,13 +2395,18 @@ "modocon5089.mail.example" ], "related.ip": [ - "10.6.79.159", - "10.212.214.4" + "10.212.214.4", + "10.6.79.159" ], "related.user": [ "amvo", +<<<<<<< HEAD "quid", "midestl" +======= + "midestl", + "quid" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "urExce", "rsa.db.index": "ectiono", @@ -2356,9 +2471,15 @@ "10.237.170.202" ], "related.user": [ +<<<<<<< HEAD "liquide", "rcit", "atDu" +======= + "atDu", + "liquide", + "rcit" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "taedict", "rsa.db.index": "loremeu", @@ -2415,8 +2536,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.4282", "related.hosts": [ - "mipsum2964.invalid", - "mad5185.www5.localhost" + "mad5185.www5.localhost", + "mipsum2964.invalid" ], "related.ip": [ "10.179.50.138", @@ -2482,16 +2603,20 @@ "observer.vendor": "Cyberark", "observer.version": "1.3806", "related.hosts": [ - "veniamq1236.invalid", - "esseq7889.www.invalid" + "esseq7889.www.invalid", + "veniamq1236.invalid" ], "related.ip": [ "10.49.71.118", "10.234.165.130" ], "related.user": [ + "emip", "henderit", +<<<<<<< HEAD "emip", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iuntNequ" ], "rsa.db.database": "veniamqu", @@ -2593,9 +2718,15 @@ "10.193.219.34" ], "related.user": [ +<<<<<<< HEAD "uamei", "utlabo", "olorem" +======= + "olorem", + "uamei", + "utlabo" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "nse", "rsa.internal.event_desc": "orisni", @@ -2645,9 +2776,15 @@ "10.174.185.109" ], "related.user": [ +<<<<<<< HEAD "dolorem", "rsp", "animid" +======= + "animid", + "dolorem", + "rsp" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2707,8 +2844,8 @@ "atnulapa3548.www.domain" ], "related.ip": [ - "10.141.213.219", - "10.117.137.159" + "10.117.137.159", + "10.141.213.219" ], "related.user": [ "ate", @@ -2915,9 +3052,9 @@ "10.255.28.56" ], "related.user": [ + "rerepre", "umdolors", - "uptatem", - "rerepre" + "uptatem" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2974,9 +3111,15 @@ "10.45.35.180" ], "related.user": [ +<<<<<<< HEAD "qui", "mip", "Utenima" +======= + "Utenima", + "mip", + "qui" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "boree", "rsa.internal.event_desc": "uteir", @@ -3106,8 +3249,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.3147", "related.hosts": [ - "mestq2106.api.host", - "llamc6724.www.lan" + "llamc6724.www.lan", + "mestq2106.api.host" ], "related.ip": [ "10.39.143.155", @@ -3181,9 +3324,9 @@ "10.153.123.20" ], "related.user": [ - "unt", "CSe", - "minim" + "minim", + "unt" ], "rsa.db.database": "atu", "rsa.db.index": "roi", @@ -3248,9 +3391,15 @@ "10.210.61.109" ], "related.user": [ +<<<<<<< HEAD "iamea", "eursinto", "giatquov" +======= + "eursinto", + "giatquov", + "iamea" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "ici", "rsa.db.index": "iquaUt", @@ -3308,8 +3457,13 @@ ], "related.user": [ "dolorsi", +<<<<<<< HEAD "quiac", "lmo" +======= + "lmo", + "quiac" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "idunt", "rsa.internal.event_desc": "usantiu", @@ -3352,9 +3506,15 @@ "10.169.123.103" ], "related.user": [ +<<<<<<< HEAD "oeni", "xplic", "etquasia" +======= + "etquasia", + "oeni", + "xplic" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "hend", "rsa.internal.event_desc": "piscivel", @@ -3452,9 +3612,15 @@ "10.169.101.161" ], "related.user": [ +<<<<<<< HEAD "ine", "orissu", "eufug" +======= + "eufug", + "ine", + "orissu" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3562,9 +3728,9 @@ "10.134.55.11" ], "related.user": [ - "tanimid", "madminim", - "mmod" + "mmod", + "tanimid" ], "rsa.db.database": "tetura", "rsa.db.index": "uptasnul", @@ -3696,9 +3862,15 @@ "10.61.175.217" ], "related.user": [ +<<<<<<< HEAD "tat", "runtm", "ntexpl" +======= + "ntexpl", + "runtm", + "tat" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "rere", "rsa.db.index": "nonn", @@ -3798,9 +3970,15 @@ "10.98.71.45" ], "related.user": [ +<<<<<<< HEAD "onse", "fugitse", "CSe" +======= + "CSe", + "fugitse", + "onse" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "Dui", "rsa.internal.event_desc": "isci", @@ -3842,9 +4020,15 @@ "10.252.251.143" ], "related.user": [ +<<<<<<< HEAD "remq", "rspic", "nonn" +======= + "nonn", + "remq", + "rspic" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "nre", "rsa.internal.event_desc": "tev", @@ -3930,8 +4114,13 @@ "10.187.170.23" ], "related.user": [ +<<<<<<< HEAD "ibusBo", "enima", +======= + "enima", + "ibusBo", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "sectetu" ], "rsa.db.index": "uido", @@ -3982,8 +4171,13 @@ "10.123.62.215" ], "related.user": [ +<<<<<<< HEAD "quaeratv", "aevitaed", +======= + "aevitaed", + "quaeratv", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "tinculpa" ], "rsa.db.database": "lica", @@ -4040,8 +4234,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.3759", "related.hosts": [ - "temvele5776.www.test", - "osa3211.www5.example" + "osa3211.www5.example", + "temvele5776.www.test" ], "related.ip": [ "10.146.57.23", @@ -4105,9 +4299,15 @@ "10.193.33.201" ], "related.user": [ +<<<<<<< HEAD "uamestqu", "niamqui", "ptatemU" +======= + "niamqui", + "ptatemU", + "uamestqu" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "doeiu", "rsa.internal.event_desc": "uasiarc", @@ -4193,9 +4393,15 @@ "10.47.63.70" ], "related.user": [ +<<<<<<< HEAD "tpers", "midestl", "expl" +======= + "expl", + "midestl", + "tpers" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "olu", "rsa.internal.event_desc": "odocons", @@ -4285,13 +4491,18 @@ "teursint1321.www5.example" ], "related.ip": [ - "10.89.154.115", - "10.85.13.237" + "10.85.13.237", + "10.89.154.115" ], "related.user": [ "Nem", +<<<<<<< HEAD "luptat", "emeu" +======= + "emeu", + "luptat" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "nturmag", "rsa.db.index": "maliqua", @@ -4348,8 +4559,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.3387", "related.hosts": [ - "nimve2787.mail.test", - "boreet2051.internal.localdomain" + "boreet2051.internal.localdomain", + "nimve2787.mail.test" ], "related.ip": [ "10.222.32.183", @@ -4504,8 +4715,8 @@ ], "related.user": [ "eprehe", - "tdolo", - "porissus" + "porissus", + "tdolo" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4666,9 +4877,9 @@ "10.148.195.208" ], "related.user": [ - "quaerat", "isi", - "mpori" + "mpori", + "quaerat" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4729,13 +4940,13 @@ "quisquam2153.mail.host" ], "related.ip": [ - "10.107.24.54", - "10.10.174.253" + "10.10.174.253", + "10.107.24.54" ], "related.user": [ "hend", - "uptasn", - "itinvo" + "itinvo", + "uptasn" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4794,8 +5005,13 @@ ], "related.user": [ "eeufug", +<<<<<<< HEAD "tamr", "luptate" +======= + "luptate", + "tamr" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "oreeufug", "rsa.internal.event_desc": "ura", @@ -4849,9 +5065,9 @@ "10.231.51.136" ], "related.user": [ - "asper", + "Finibus", "accus", - "Finibus" + "asper" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4953,8 +5169,8 @@ ], "related.user": [ "cusa", - "ollita", - "mmodicon" + "mmodicon", + "ollita" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -5178,9 +5394,15 @@ "10.101.45.225" ], "related.user": [ +<<<<<<< HEAD "uinesc", "emi", "cipitla" +======= + "cipitla", + "emi", + "uinesc" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -5272,8 +5494,13 @@ ], "related.user": [ "aliqu", +<<<<<<< HEAD "ptatemse", "enimad" +======= + "enimad", + "ptatemse" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "Except", "rsa.internal.event_desc": "cons", @@ -5319,13 +5546,18 @@ "lla5407.lan" ], "related.ip": [ - "10.94.152.238", - "10.151.110.250" + "10.151.110.250", + "10.94.152.238" ], "related.user": [ "neavol", +<<<<<<< HEAD "tla", "pidatatn" +======= + "pidatatn", + "tla" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "itaedict", "rsa.db.index": "onemull", @@ -5381,8 +5613,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.4965", "related.hosts": [ - "tatemse5403.home", - "iquipexe4708.api.localhost" + "iquipexe4708.api.localhost", + "tatemse5403.home" ], "related.ip": [ "10.77.9.17", @@ -5390,8 +5622,13 @@ ], "related.user": [ "alorumwr", +<<<<<<< HEAD "umS", "tevel" +======= + "tevel", + "umS" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "amremap", "rsa.db.index": "aqu", @@ -5491,8 +5728,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.7701", "related.hosts": [ - "reprehe650.www.corp", - "oremip4070.www5.invalid" + "oremip4070.www5.invalid", + "reprehe650.www.corp" ], "related.ip": [ "10.200.162.248", @@ -5500,8 +5737,13 @@ ], "related.user": [ "doloremi", +<<<<<<< HEAD "reseo", "onnu" +======= + "onnu", + "reseo" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.database": "billo", "rsa.db.index": "ectetura", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json index 8318232cba4..9c3195e8488 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json @@ -36,8 +36,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json index 2fd7243dc82..2ac071e7963 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json @@ -36,8 +36,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json index 262c670a528..ca2478070a1 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json @@ -37,8 +37,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json index 0b008d88f7a..3bb6c3a5e7e 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json @@ -35,8 +35,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json index 9f23e422362..371f33ab4f8 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json @@ -35,8 +35,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json index 2882ace09bb..b99a40e8160 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json @@ -43,8 +43,8 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", "fileset.name": "audit", @@ -60,8 +60,8 @@ "10.0.1.20" ], "related.user": [ - "PasswordManager", - "ELASTIC\\bart" + "ELASTIC\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json index 3f89812c054..9262f4a6fdb 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json @@ -23,8 +23,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -82,8 +82,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -141,8 +141,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -200,8 +200,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -259,8 +259,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -318,8 +318,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -376,8 +376,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -435,8 +435,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -495,8 +495,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -555,8 +555,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -612,8 +612,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", @@ -669,8 +669,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.name": "VAULT", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json index 9faecd9b6ef..ceda7e9f02b 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json @@ -40,12 +40,12 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "related.user": [ - "PVWAGWUser", - "Administrator" + "Administrator", + "PVWAGWUser" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -98,12 +98,12 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", - "10.0.1.20" + "10.0.1.20", + "81.32.170.205" ], "related.user": [ - "PVWAGWUser", - "Administrator" + "Administrator", + "PVWAGWUser" ], "service.type": "cyberarkpas", "source.address": "81.32.170.205", @@ -164,12 +164,12 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "37.223.7.45", - "10.0.1.20" + "10.0.1.20", + "37.223.7.45" ], "related.user": [ - "PVWAGWUser", - "Administrator" + "Administrator", + "PVWAGWUser" ], "service.type": "cyberarkpas", "source.address": "37.223.7.45", @@ -291,8 +291,8 @@ "10.0.1.20" ], "related.user": [ - "PVWAGWUser", - "Administrator" + "Administrator", + "PVWAGWUser" ], "service.type": "cyberarkpas", "source.address": "10.0.1.10", @@ -358,8 +358,8 @@ "81.32.170.205" ], "related.user": [ - "PSMPGW_VAGRANT", - "Administrator" + "Administrator", + "PSMPGW_VAGRANT" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -425,8 +425,8 @@ "81.32.170.205" ], "related.user": [ - "PSMPGW_VAGRANT", - "Administrator" + "Administrator", + "PSMPGW_VAGRANT" ], "service.type": "cyberarkpas", "source.address": "10.0.2.2", @@ -480,12 +480,12 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "35.192.121.42", - "10.0.1.20" + "10.0.1.20", + "35.192.121.42" ], "related.user": [ - "PVWAGWUser", - "Administrator" + "Administrator", + "PVWAGWUser" ], "service.type": "cyberarkpas", "source.address": "35.192.121.42", @@ -551,12 +551,12 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ - "PSMPGW_SSH", - "Administrator" + "Administrator", + "PSMPGW_SSH" ], "service.type": "cyberarkpas", "source.address": "81.32.170.205", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json index ccc17d039a9..94a63122481 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json @@ -39,8 +39,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12", "fileset.name": "audit", @@ -110,8 +110,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", "fileset.name": "audit", @@ -184,8 +184,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", "fileset.name": "audit", @@ -259,8 +259,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", "fileset.name": "audit", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json index b26bdf2e009..1e1ee0d8496 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json @@ -81,8 +81,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -507,8 +507,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json index a7e89b58fcc..fec1f051b54 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json @@ -36,8 +36,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", "fileset.name": "audit", @@ -107,8 +107,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", "fileset.name": "audit", @@ -118,12 +118,12 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.6.0000", "related.ip": [ - "10.2.0.6", - "10.2.0.3" + "10.2.0.3", + "10.2.0.6" ], "related.user": [ - "adm2", - "Administrator2" + "Administrator2", + "adm2" ], "service.type": "cyberarkpas", "source.address": "10.2.0.6", @@ -171,8 +171,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\testobject", "fileset.name": "audit", @@ -248,8 +248,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", "fileset.name": "audit", @@ -310,8 +310,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Groups\\WindowsGroup", "fileset.name": "audit", @@ -383,8 +383,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", "fileset.name": "audit", @@ -446,8 +446,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\PSMAdmin", "fileset.name": "audit", @@ -511,8 +511,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\PSMServer", "fileset.name": "audit", @@ -590,8 +590,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", "fileset.name": "audit", @@ -652,8 +652,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Groups\\WindowsGroup", "fileset.name": "audit", @@ -715,8 +715,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\PSMAdmin", "fileset.name": "audit", @@ -779,8 +779,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\PSMServer", "fileset.name": "audit", @@ -798,8 +798,8 @@ "169.254.180.25" ], "related.user": [ - "PVWAAppUser", - "PSMConnect" + "PSMConnect", + "PVWAAppUser" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -847,8 +847,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT", "fileset.name": "audit", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json index d8d5c95ffe8..ccb0ea7ec48 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json @@ -618,9 +618,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -712,9 +712,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -804,9 +804,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -896,9 +896,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -988,9 +988,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1076,9 +1076,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1164,9 +1164,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1260,9 +1260,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1356,9 +1356,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1452,9 +1452,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json index d305dbfcd0d..c785d0f3fee 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json @@ -634,9 +634,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -730,9 +730,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -824,9 +824,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -918,9 +918,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1012,9 +1012,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1102,9 +1102,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1192,9 +1192,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1290,9 +1290,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -1388,9 +1388,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json index e5f2e33591b..5dfac39be32 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json @@ -42,8 +42,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", "fileset.name": "audit", @@ -53,12 +53,12 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.6.0000", "related.ip": [ - "10.2.0.6", - "10.2.0.3" + "10.2.0.3", + "10.2.0.6" ], "related.user": [ - "adm2", - "Administrator2" + "Administrator2", + "adm2" ], "service.type": "cyberarkpas", "source.address": "10.2.0.6", @@ -111,8 +111,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -185,8 +185,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -259,8 +259,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -333,8 +333,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -407,8 +407,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -481,8 +481,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -560,8 +560,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", @@ -575,9 +575,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -645,8 +645,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", @@ -660,9 +660,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -734,8 +734,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", @@ -749,9 +749,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -823,8 +823,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", @@ -838,9 +838,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json index 06947792b70..616c854c567 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json @@ -38,8 +38,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "related.user": [ "adriansr" @@ -92,8 +92,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "related.user": [ "adriansra" @@ -273,8 +273,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "testark" diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json index 6827026c78f..5dc9c9214fd 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json @@ -41,8 +41,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", "fileset.name": "audit", @@ -55,8 +55,8 @@ "10.2.0.4" ], "related.user": [ - "PasswordManager", - "Administrator2" + "Administrator2", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.2.0.4", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json index ef5d1eddfff..6c272ceb712 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json @@ -412,8 +412,8 @@ "81.32.170.205" ], "related.user": [ - "PSMPApp_VAGRANT", - "Auditors" + "Auditors", + "PSMPApp_VAGRANT" ], "service.type": "cyberarkpas", "source.address": "81.32.170.205", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json index bf2a5247e8d..5b5251d08b6 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json @@ -67,8 +67,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -152,8 +152,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -237,8 +237,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -322,8 +322,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -407,8 +407,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -492,8 +492,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -577,8 +577,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -662,8 +662,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -747,8 +747,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", @@ -832,8 +832,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json index 1d2c0d41d2e..d7712ea0c0c 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json @@ -142,9 +142,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -236,9 +236,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -330,9 +330,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -424,9 +424,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -522,9 +522,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", @@ -620,9 +620,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", "34.123.103.115", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json index afc569ca43a..10d03789967 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json @@ -33,8 +33,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -78,8 +78,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -123,8 +123,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -168,8 +168,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -213,8 +213,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json index c33da1090c1..a83355aff46 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json @@ -69,8 +69,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC\\bart" + "ELASTIC\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -236,8 +236,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC.local\\bart" + "ELASTIC.local\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -320,8 +320,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC.local\\bart" + "ELASTIC.local\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -404,8 +404,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC.local\\bart" + "ELASTIC.local\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -1096,8 +1096,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC.local\\bart" + "ELASTIC.local\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -1180,8 +1180,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC.local\\bart" + "ELASTIC.local\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json index 7b13d632c42..f7c81ad1825 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json @@ -64,12 +64,12 @@ "process.name": "shutdown.exe", "process.pid": "4144", "related.ip": [ - "10.2.0.6", - "10.2.0.5" + "10.2.0.5", + "10.2.0.6" ], "related.user": [ - "adm2", - "Administrator2" + "Administrator2", + "adm2" ], "service.type": "cyberarkpas", "source.address": "10.2.0.6", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json index aef660f5e9b..7eaa39d15a9 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json @@ -65,8 +65,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "12.0.0000", "related.ip": [ - "127.0.0.1", - "10.0.0.15" + "10.0.0.15", + "127.0.0.1" ], "related.user": [ "Administrator", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json index 50385a481b0..a474cf1a7ee 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json @@ -35,8 +35,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json index 23d05a8184d..71ac263e3f5 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json @@ -43,8 +43,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -58,9 +58,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ + "10.0.1.20", "127.0.0.1", - "34.123.103.115", - "10.0.1.20" + "34.123.103.115" ], "related.user": [ "Administrator", @@ -121,8 +121,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -136,9 +136,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ + "10.0.1.20", "127.0.0.1", - "34.123.103.115", - "10.0.1.20" + "34.123.103.115" ], "related.user": [ "Administrator", @@ -197,8 +197,8 @@ "event.severity": 2, "event.timezone": "-02:00", "event.type": [ - "admin", - "access" + "access", + "admin" ], "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", "fileset.name": "audit", @@ -212,9 +212,9 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ + "10.0.1.20", "127.0.0.1", - "34.123.103.115", - "10.0.1.20" + "34.123.103.115" ], "related.user": [ "Administrator", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json index 4e6f09eab4a..edcea4388a2 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json @@ -96,8 +96,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "related.user": [ "Administrator" diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json index 7b217c835ff..f1d9caf02d7 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json @@ -264,8 +264,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json index c48c4268558..a0bfbd934d6 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json @@ -39,8 +39,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -91,8 +91,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -280,8 +280,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -330,8 +330,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -380,8 +380,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -434,8 +434,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", @@ -488,8 +488,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json index 19bc08dc8aa..717f03d98f6 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json @@ -51,9 +51,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2", "fileset.name": "audit", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json index c473243de39..cac21295fdb 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json @@ -50,9 +50,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", "fileset.name": "audit", @@ -70,8 +70,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC\\bart" + "ELASTIC\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -135,9 +135,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", "fileset.name": "audit", @@ -155,8 +155,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC\\bart" + "ELASTIC\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -216,9 +216,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", @@ -301,9 +301,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", "fileset.name": "audit", @@ -321,8 +321,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC\\bart" + "ELASTIC\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -386,9 +386,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", "fileset.name": "audit", @@ -406,8 +406,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC\\bart" + "ELASTIC\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -468,9 +468,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", @@ -554,9 +554,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", "fileset.name": "audit", @@ -574,8 +574,8 @@ "34.66.114.180" ], "related.user": [ - "PasswordManager", - "ELASTIC\\bart" + "ELASTIC\\bart", + "PasswordManager" ], "service.type": "cyberarkpas", "source.address": "10.0.1.20", @@ -636,9 +636,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", @@ -720,9 +720,9 @@ "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "user", "change", - "error" + "error", + "user" ], "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", "fileset.name": "audit", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json index 8702306a8d5..31636b9a4f0 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json @@ -36,8 +36,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.6.0000", "related.ip": [ - "10.2.0.6", - "10.2.0.3" + "10.2.0.3", + "10.2.0.6" ], "related.user": [ "adm2" @@ -341,8 +341,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "related.user": [ "Administrator" @@ -396,8 +396,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", - "10.0.1.20" + "10.0.1.20", + "81.32.170.205" ], "related.user": [ "Administrator" @@ -459,8 +459,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "37.223.7.45", - "10.0.1.20" + "10.0.1.20", + "37.223.7.45" ], "related.user": [ "Administrator" diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json index 57d8a3fe68f..bc2ba6b62db 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json @@ -819,8 +819,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "81.32.170.205", - "34.71.250.247" + "34.71.250.247", + "81.32.170.205" ], "related.user": [ "Administrator" diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json index cff0fe7eb5f..57a5e57e9ee 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json @@ -173,8 +173,8 @@ "observer.vendor": "Cyber-Ark", "observer.version": "11.7.0000", "related.ip": [ - "127.0.0.1", - "10.0.1.20" + "10.0.1.20", + "127.0.0.1" ], "service.type": "cyberarkpas", "source.address": "127.0.0.1", diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json index 703b5e977b3..af686156d99 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json @@ -175,8 +175,8 @@ "message": "[2019-04-11T00:51:07.980Z] \"GET /elastic/ HTTP/1.1\" 301 - 0 0 41 39 \"172.17.0.3\" \"curl/7.59.0\" \"078d1daa-b786-4d6d-85a5-7e4366adaa19\" \"www.elastic.co\" \"151.101.66.217:80\"", "network.protocol": "http", "related.ip": [ - "172.17.0.3", - "151.101.66.217" + "151.101.66.217", + "172.17.0.3" ], "service.type": "envoyproxy", "source.address": "172.17.0.3", diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json index 08bb67602e6..54be543284f 100644 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -24,10 +24,16 @@ "tatemac3541.api.corp" ], "related.ip": [ + "10.11.196.142", "10.165.201.71", +<<<<<<< HEAD "10.228.193.207", "10.208.121.85", "10.11.196.142" +======= + "10.208.121.85", + "10.228.193.207" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "billoi" @@ -92,10 +98,17 @@ "enatus2114.mail.home" ], "related.ip": [ +<<<<<<< HEAD "10.51.132.10", "10.162.9.235", "10.94.67.230", "10.92.202.200" +======= + "10.162.9.235", + "10.51.132.10", + "10.92.202.200", + "10.94.67.230" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "byC" @@ -160,10 +173,10 @@ "gelit6728.api.invalid" ], "related.ip": [ - "10.82.56.117", "10.122.116.161", + "10.191.68.244", "10.209.155.149", - "10.191.68.244" + "10.82.56.117" ], "related.user": [ "seq" @@ -298,6 +311,10 @@ "10.151.111.38", "10.206.197.113", "10.159.182.171", +<<<<<<< HEAD +======= + "10.206.197.113", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.96.35.212" ], "related.user": [ @@ -364,8 +381,12 @@ ], "related.ip": [ "10.126.177.162", + "10.169.144.147", "10.213.113.28", +<<<<<<< HEAD "10.169.144.147", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.89.163.114" ], "related.user": [ @@ -432,8 +453,14 @@ "related.ip": [ "10.146.88.52", "10.101.223.43", +<<<<<<< HEAD "10.18.124.28", "10.103.107.47" +======= + "10.103.107.47", + "10.146.88.52", + "10.18.124.28" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "rudexerc" @@ -499,9 +526,15 @@ ], "related.ip": [ "10.110.99.17", +<<<<<<< HEAD "10.69.57.206", "10.189.109.245", "10.150.220.75" +======= + "10.150.220.75", + "10.189.109.245", + "10.69.57.206" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "onse" @@ -568,7 +601,12 @@ "10.199.34.241", "10.121.219.204", "10.153.136.222", +<<<<<<< HEAD "10.19.194.101" +======= + "10.19.194.101", + "10.199.34.241" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "temveleu" @@ -632,10 +670,17 @@ "aliqu6801.api.localdomain" ], "related.ip": [ +<<<<<<< HEAD "10.64.141.105", "10.46.27.57", "10.57.103.192", "10.182.199.231" +======= + "10.182.199.231", + "10.46.27.57", + "10.57.103.192", + "10.64.141.105" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "ice" @@ -699,9 +744,15 @@ "itame189.domain" ], "related.ip": [ +<<<<<<< HEAD "10.164.6.207", "10.3.134.237", "10.160.210.31", +======= + "10.160.210.31", + "10.164.6.207", + "10.3.134.237", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.32.67.231" ], "related.user": [ @@ -767,10 +818,17 @@ "tsedqu2456.www5.invalid" ], "related.ip": [ +<<<<<<< HEAD "10.42.138.192", "10.182.178.217", "10.235.101.253", "10.201.6.10" +======= + "10.182.178.217", + "10.201.6.10", + "10.235.101.253", + "10.42.138.192" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "giatnu" @@ -837,6 +895,10 @@ "related.ip": [ "10.194.247.171", "10.151.161.70", +<<<<<<< HEAD +======= + "10.194.247.171", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.22.102.198", "10.86.101.235" ], @@ -906,7 +968,12 @@ "10.204.35.15", "10.107.168.60", "10.167.172.155", +<<<<<<< HEAD "10.174.252.105" +======= + "10.174.252.105", + "10.204.35.15" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "mnisi" @@ -970,10 +1037,17 @@ "smo7167.www.test" ], "related.ip": [ +<<<<<<< HEAD "10.99.249.210", "10.182.191.174", "10.214.249.164", "10.81.26.208" +======= + "10.182.191.174", + "10.214.249.164", + "10.81.26.208", + "10.99.249.210" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "upta" @@ -1037,10 +1111,17 @@ "sauteiru4554.api.domain" ], "related.ip": [ +<<<<<<< HEAD "10.201.238.90", "10.88.101.53", "10.220.5.143", "10.101.226.128" +======= + "10.101.226.128", + "10.201.238.90", + "10.220.5.143", + "10.88.101.53" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "porro" @@ -1104,10 +1185,17 @@ "untut4046.internal.domain" ], "related.ip": [ +<<<<<<< HEAD "10.243.218.215", "10.30.133.66", "10.157.18.252", "10.217.150.196" +======= + "10.157.18.252", + "10.217.150.196", + "10.243.218.215", + "10.30.133.66" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "evit" @@ -1171,10 +1259,17 @@ "quid3147.mail.home" ], "related.ip": [ +<<<<<<< HEAD "10.167.227.44", "10.66.181.6", "10.148.161.250", "10.181.133.187" +======= + "10.148.161.250", + "10.167.227.44", + "10.181.133.187", + "10.66.181.6" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "adipisc" @@ -1241,8 +1336,13 @@ "related.ip": [ "10.107.9.163", "10.54.17.32", +<<<<<<< HEAD "10.84.163.178", "10.74.11.43" +======= + "10.74.11.43", + "10.84.163.178" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "mquisno" @@ -1306,10 +1406,17 @@ "lorsita2019.internal.home" ], "related.ip": [ +<<<<<<< HEAD "10.192.229.221", "10.112.32.213", "10.230.129.252", "10.184.73.211" +======= + "10.112.32.213", + "10.184.73.211", + "10.192.229.221", + "10.230.129.252" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "odi" @@ -1374,10 +1481,17 @@ "paquioff624.mail.invalid" ], "related.ip": [ +<<<<<<< HEAD "10.7.200.140", "10.161.148.64", "10.199.216.143", "10.198.213.189" +======= + "10.161.148.64", + "10.198.213.189", + "10.199.216.143", + "10.7.200.140" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "ccaeca" @@ -1441,10 +1555,10 @@ "mex2054.mail.corp" ], "related.ip": [ - "10.65.232.27", - "10.206.96.56", "10.128.157.27", - "10.22.187.69" + "10.206.96.56", + "10.22.187.69", + "10.65.232.27" ], "related.user": [ "uaeab" @@ -1508,10 +1622,17 @@ "avolupt7576.api.corp" ], "related.ip": [ +<<<<<<< HEAD "10.68.253.120", "10.183.130.225", "10.71.114.14", "10.194.210.62" +======= + "10.183.130.225", + "10.194.210.62", + "10.68.253.120", + "10.71.114.14" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "admin" @@ -1577,9 +1698,9 @@ ], "related.ip": [ "10.107.45.175", - "10.47.255.237", "10.31.177.226", - "10.45.253.103" + "10.45.253.103", + "10.47.255.237" ], "related.user": [ "remagn" @@ -1646,8 +1767,12 @@ "related.ip": [ "10.225.212.189", "10.44.58.106", +<<<<<<< HEAD "10.55.105.113", "10.213.94.135" +======= + "10.55.105.113" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "dquia" @@ -1711,10 +1836,17 @@ "ectiono2241.lan" ], "related.ip": [ +<<<<<<< HEAD "10.69.161.78", "10.255.74.136", "10.2.114.9", "10.163.209.70" +======= + "10.163.209.70", + "10.2.114.9", + "10.255.74.136", + "10.69.161.78" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "olabor" @@ -1778,10 +1910,17 @@ "umetMal1664.mail.lan" ], "related.ip": [ +<<<<<<< HEAD "10.252.102.110", "10.46.115.216", "10.12.129.137", "10.184.59.148" +======= + "10.12.129.137", + "10.184.59.148", + "10.252.102.110", + "10.46.115.216" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "perspici" @@ -1846,10 +1985,17 @@ "derit5270.mail.local" ], "related.ip": [ +<<<<<<< HEAD "10.155.204.243", "10.81.184.7", "10.105.52.140", "10.199.194.79" +======= + "10.105.52.140", + "10.155.204.243", + "10.199.194.79", + "10.81.184.7" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "eetd" @@ -1982,10 +2128,17 @@ "iutali7297.www.domain" ], "related.ip": [ +<<<<<<< HEAD "10.192.98.247", "10.100.199.226", "10.99.202.229", "10.190.122.27" +======= + "10.100.199.226", + "10.190.122.27", + "10.192.98.247", + "10.99.202.229" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "lloinven" @@ -2118,9 +2271,15 @@ ], "related.ip": [ "10.171.221.230", +<<<<<<< HEAD "10.36.63.31", "10.45.35.180", "10.222.165.250" +======= + "10.222.165.250", + "10.36.63.31", + "10.45.35.180" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "otamr" @@ -2184,10 +2343,17 @@ "tnonproi195.api.home" ], "related.ip": [ +<<<<<<< HEAD "10.199.127.211", "10.1.171.61", "10.83.238.145", "10.238.4.219" +======= + "10.1.171.61", + "10.199.127.211", + "10.238.4.219", + "10.83.238.145" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "reetdolo" @@ -2253,8 +2419,13 @@ "related.ip": [ "10.170.252.219", "10.44.226.104", +<<<<<<< HEAD "10.74.213.42", "10.65.141.244" +======= + "10.65.141.244", + "10.74.213.42" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "Nequepo" @@ -2319,9 +2490,15 @@ ], "related.ip": [ "10.180.48.221", +<<<<<<< HEAD "10.225.255.211", "10.183.223.149", "10.225.141.172" +======= + "10.183.223.149", + "10.225.141.172", + "10.225.255.211" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "nihil" @@ -2385,10 +2562,17 @@ "redo6311.api.invalid" ], "related.ip": [ +<<<<<<< HEAD "10.97.138.181", "10.205.174.181", "10.169.123.103", "10.176.64.28" +======= + "10.169.123.103", + "10.176.64.28", + "10.205.174.181", + "10.97.138.181" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "eseruntm" @@ -2453,10 +2637,17 @@ "dolorem1698.www.domain" ], "related.ip": [ +<<<<<<< HEAD "10.204.4.40", "10.75.120.11", "10.53.101.131", "10.169.101.161" +======= + "10.169.101.161", + "10.204.4.40", + "10.53.101.131", + "10.75.120.11" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "tquo" @@ -2521,10 +2712,17 @@ "evitae7333.www.lan" ], "related.ip": [ +<<<<<<< HEAD "10.87.120.87", "10.156.117.169", "10.6.222.112", "10.28.51.219" +======= + "10.156.117.169", + "10.28.51.219", + "10.6.222.112", + "10.87.120.87" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "onsequu" @@ -2655,10 +2853,17 @@ "olorsi2746.internal.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.36.69.125", "10.15.240.220", "10.143.183.208", "10.248.206.210" +======= + "10.143.183.208", + "10.15.240.220", + "10.248.206.210", + "10.36.69.125" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "met" @@ -2723,10 +2928,17 @@ "edqu2208.www.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.6.32.7", "10.142.186.43", "10.69.170.107", "10.34.133.2" +======= + "10.142.186.43", + "10.34.133.2", + "10.6.32.7", + "10.69.170.107" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "ipitlabo" @@ -2791,10 +3003,17 @@ "ender5647.www5.example" ], "related.ip": [ +<<<<<<< HEAD "10.59.103.10", "10.170.165.164", "10.142.22.24", "10.121.153.197" +======= + "10.121.153.197", + "10.142.22.24", + "10.170.165.164", + "10.59.103.10" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "borumSec" @@ -2859,10 +3078,17 @@ "sis3986.internal.lan" ], "related.ip": [ +<<<<<<< HEAD "10.247.114.30", "10.133.10.122", "10.19.99.129", "10.176.83.7" +======= + "10.133.10.122", + "10.176.83.7", + "10.19.99.129", + "10.247.114.30" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "quaeabil" @@ -2930,7 +3156,8 @@ "10.40.177.138", "10.8.29.219", "10.64.139.17", - "10.70.7.23" + "10.70.7.23", + "10.8.29.219" ], "related.user": [ "rep" @@ -2997,6 +3224,7 @@ "10.180.62.222", "10.67.173.228", "10.2.189.20", + "10.67.173.228", "10.67.221.220" ], "related.user": [ @@ -3062,9 +3290,15 @@ "uian521.www.example" ], "related.ip": [ +<<<<<<< HEAD "10.209.52.47", "10.196.176.243", "10.147.127.181", +======= + "10.147.127.181", + "10.196.176.243", + "10.209.52.47", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.56.134.118" ], "related.user": [ @@ -3129,10 +3363,15 @@ "taliq5213.api.corp" ], "related.ip": [ +<<<<<<< HEAD "10.248.140.59", "10.85.13.237", +======= + "10.226.24.84", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.231.18.90", - "10.226.24.84" + "10.248.140.59", + "10.85.13.237" ], "related.user": [ "Nem" @@ -3199,8 +3438,13 @@ "related.ip": [ "10.203.46.215", "10.207.183.204", +<<<<<<< HEAD "10.8.224.72", "10.59.215.207" +======= + "10.59.215.207", + "10.8.224.72" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "eruntmo" @@ -3265,10 +3509,17 @@ "mexer3864.api.corp" ], "related.ip": [ +<<<<<<< HEAD "10.98.154.146", "10.255.145.22", "10.73.84.95", "10.230.38.148" +======= + "10.230.38.148", + "10.255.145.22", + "10.73.84.95", + "10.98.154.146" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "sitam" @@ -3400,10 +3651,17 @@ "fugiatnu2498.www.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.182.213.195", "10.220.202.102", "10.195.139.25", "10.122.133.162" +======= + "10.122.133.162", + "10.182.213.195", + "10.195.139.25", + "10.220.202.102" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "aquae" @@ -3468,10 +3726,17 @@ "ptat3230.domain" ], "related.ip": [ +<<<<<<< HEAD "10.247.144.9", "10.156.208.5", "10.53.72.161", "10.33.143.163" +======= + "10.156.208.5", + "10.247.144.9", + "10.33.143.163", + "10.53.72.161" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "scip" @@ -3535,10 +3800,17 @@ "exer447.internal.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.241.143.145", "10.21.58.162", "10.35.190.164", "10.113.65.192" +======= + "10.113.65.192", + "10.21.58.162", + "10.241.143.145", + "10.35.190.164" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "porin" @@ -3603,10 +3875,17 @@ "itanimi1934.home" ], "related.ip": [ +<<<<<<< HEAD "10.53.27.253", "10.75.113.240", "10.129.16.166", "10.19.154.103" +======= + "10.129.16.166", + "10.19.154.103", + "10.53.27.253", + "10.75.113.240" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "luptat" @@ -3672,9 +3951,15 @@ ], "related.ip": [ "10.120.50.13", +<<<<<<< HEAD "10.150.153.61", "10.22.213.196", "10.125.150.220" +======= + "10.125.150.220", + "10.150.153.61", + "10.22.213.196" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "inculpa" @@ -3739,10 +4024,17 @@ "edquiaco6562.api.lan" ], "related.ip": [ +<<<<<<< HEAD "10.229.155.171", "10.113.2.13", "10.85.52.249", "10.238.171.184" +======= + "10.113.2.13", + "10.229.155.171", + "10.238.171.184", + "10.85.52.249" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "tatiset" @@ -3807,9 +4099,15 @@ "tatis7315.mail.home" ], "related.ip": [ +<<<<<<< HEAD "10.220.1.249", "10.249.174.35", "10.198.150.185", +======= + "10.198.150.185", + "10.220.1.249", + "10.249.174.35", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.51.245.225" ], "related.user": [ @@ -3876,7 +4174,10 @@ ], "related.ip": [ "10.190.96.181", +<<<<<<< HEAD "10.152.157.32", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.251.82.195", "10.38.185.31" ], @@ -3942,10 +4243,17 @@ "itaedict199.mail.corp" ], "related.ip": [ +<<<<<<< HEAD "10.230.112.179", "10.190.247.194", "10.103.102.242", "10.211.198.50" +======= + "10.103.102.242", + "10.190.247.194", + "10.211.198.50", + "10.230.112.179" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "tDuisaut" @@ -4010,9 +4318,15 @@ ], "related.ip": [ "10.101.13.122", +<<<<<<< HEAD "10.251.101.61", "10.47.223.155", "10.219.83.199" +======= + "10.219.83.199", + "10.251.101.61", + "10.47.223.155" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "ectetur" @@ -4146,8 +4460,13 @@ ], "related.ip": [ "10.194.197.107", +<<<<<<< HEAD "10.27.181.27", "10.195.90.73", +======= + "10.195.90.73", + "10.27.181.27", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.45.152.205" ], "related.user": [ @@ -4213,10 +4532,17 @@ "ididu5505.api.localdomain" ], "related.ip": [ +<<<<<<< HEAD "10.43.239.97", "10.129.161.18", "10.183.90.25", "10.222.2.132" +======= + "10.129.161.18", + "10.183.90.25", + "10.222.2.132", + "10.43.239.97" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "aedicta" @@ -4280,10 +4606,17 @@ "mqui1099.api.corp" ], "related.ip": [ +<<<<<<< HEAD "10.248.156.138", "10.231.167.171", "10.67.129.100", "10.189.162.131" +======= + "10.189.162.131", + "10.231.167.171", + "10.248.156.138", + "10.67.129.100" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "sedquia" @@ -4348,10 +4681,10 @@ "siuta2155.lan" ], "related.ip": [ - "10.63.103.30", - "10.6.146.184", "10.142.106.66", - "10.185.107.27" + "10.185.107.27", + "10.6.146.184", + "10.63.103.30" ], "related.user": [ "sequu" @@ -4416,9 +4749,15 @@ ], "related.ip": [ "10.0.202.9", +<<<<<<< HEAD "10.214.93.200", "10.93.39.237", "10.119.179.182" +======= + "10.119.179.182", + "10.214.93.200", + "10.93.39.237" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "tionofd" @@ -4550,10 +4889,17 @@ "idolo6535.internal.example" ], "related.ip": [ +<<<<<<< HEAD "10.79.49.3", "10.29.122.183", "10.46.162.198", "10.145.128.250" +======= + "10.145.128.250", + "10.29.122.183", + "10.46.162.198", + "10.79.49.3" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "eni" @@ -4620,7 +4966,10 @@ "related.ip": [ "10.166.169.167", "10.177.232.136", +<<<<<<< HEAD "10.142.235.217", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.65.174.196" ], "related.user": [ @@ -4686,10 +5035,17 @@ "uptatem4446.internal.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.215.184.154", "10.53.188.140", "10.191.78.86", "10.29.217.44" +======= + "10.191.78.86", + "10.215.184.154", + "10.29.217.44", + "10.53.188.140" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "iarc" @@ -4754,10 +5110,17 @@ "emq2514.api.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.76.148.147", "10.135.77.156", "10.46.222.149", "10.74.74.129" +======= + "10.135.77.156", + "10.46.222.149", + "10.74.74.129", + "10.76.148.147" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "urve" @@ -4823,8 +5186,13 @@ "related.ip": [ "10.11.146.253", "10.130.203.37", +<<<<<<< HEAD "10.96.200.223", "10.145.49.29" +======= + "10.145.49.29", + "10.96.200.223" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "mvele" @@ -4888,10 +5256,17 @@ "ipi4827.mail.lan" ], "related.ip": [ +<<<<<<< HEAD "10.162.78.48", "10.48.75.140", "10.162.2.180", "10.24.23.209" +======= + "10.162.2.180", + "10.162.78.48", + "10.24.23.209", + "10.48.75.140" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "rumwr" @@ -4955,9 +5330,15 @@ "sequatD163.internal.example" ], "related.ip": [ +<<<<<<< HEAD "10.151.206.38", "10.66.92.83", "10.119.12.186", +======= + "10.119.12.186", + "10.151.206.38", + "10.66.92.83", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.97.105.115" ], "related.user": [ @@ -5022,9 +5403,15 @@ "itamet1303.invalid" ], "related.ip": [ +<<<<<<< HEAD "10.201.132.114", "10.169.139.250", "10.12.148.73", +======= + "10.12.148.73", + "10.169.139.250", + "10.201.132.114", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.64.76.142" ], "related.user": [ @@ -5091,9 +5478,15 @@ ], "related.ip": [ "10.111.128.11", +<<<<<<< HEAD "10.9.236.18", "10.200.116.191", "10.35.38.185" +======= + "10.200.116.191", + "10.35.38.185", + "10.9.236.18" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "umfug" @@ -5157,10 +5550,17 @@ "uredol2174.home" ], "related.ip": [ +<<<<<<< HEAD "10.240.62.238", "10.236.67.227", "10.134.238.8", "10.191.27.182" +======= + "10.134.238.8", + "10.191.27.182", + "10.236.67.227", + "10.240.62.238" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "tlabo" @@ -5225,9 +5625,14 @@ ], "related.ip": [ "10.109.14.142", + "10.165.66.92", "10.22.231.91", +<<<<<<< HEAD "10.65.35.64", "10.165.66.92" +======= + "10.65.35.64" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "perna" @@ -5291,10 +5696,17 @@ "inimav5557.www5.test" ], "related.ip": [ +<<<<<<< HEAD "10.64.161.215", "10.89.221.90", "10.71.112.86", "10.29.230.203" +======= + "10.29.230.203", + "10.64.161.215", + "10.71.112.86", + "10.89.221.90" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "rnatur" @@ -5358,9 +5770,15 @@ "nonn1650.www.test" ], "related.ip": [ +<<<<<<< HEAD "10.221.199.137", "10.79.208.135", "10.140.118.182", +======= + "10.140.118.182", + "10.221.199.137", + "10.79.208.135", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.88.226.76" ], "related.user": [ @@ -5426,10 +5844,10 @@ "acons3940.api.lan" ], "related.ip": [ - "10.35.73.208", - "10.189.244.22", + "10.126.61.230", "10.133.48.55", - "10.126.61.230" + "10.189.244.22", + "10.35.73.208" ], "related.user": [ "tia" @@ -5493,9 +5911,15 @@ "suscipit587.www.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.35.65.72", "10.239.194.105", "10.240.94.109", +======= + "10.239.194.105", + "10.240.94.109", + "10.35.65.72", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.81.154.115" ], "related.user": [ @@ -5561,10 +5985,17 @@ "mnisiut6146.internal.local" ], "related.ip": [ +<<<<<<< HEAD "10.52.70.192", "10.150.56.227", "10.248.72.104", "10.38.253.213" +======= + "10.150.56.227", + "10.248.72.104", + "10.38.253.213", + "10.52.70.192" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "ionem" @@ -5629,10 +6060,17 @@ "borios1067.www5.home" ], "related.ip": [ +<<<<<<< HEAD "10.73.172.186", "10.218.15.164", "10.203.193.134", "10.62.218.239" +======= + "10.203.193.134", + "10.218.15.164", + "10.62.218.239", + "10.73.172.186" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "reh" @@ -5696,8 +6134,13 @@ "msequ323.www.example" ], "related.ip": [ +<<<<<<< HEAD "10.131.127.113", "10.10.46.43", +======= + "10.10.46.43", + "10.131.127.113", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.136.211.234", "10.60.20.76" ], @@ -5764,8 +6207,12 @@ "tdolorem813.internal.host" ], "related.ip": [ + "10.187.237.220", "10.233.181.250", +<<<<<<< HEAD "10.187.237.220", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.248.0.74", "10.50.177.151" ], @@ -5900,9 +6347,15 @@ "ntium5103.www5.localhost" ], "related.ip": [ +<<<<<<< HEAD "10.66.106.186", "10.173.114.63", "10.102.109.199", +======= + "10.102.109.199", + "10.173.114.63", + "10.66.106.186", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.91.115.139" ], "related.user": [ @@ -5971,7 +6424,8 @@ "10.0.175.17", "10.221.223.127", "10.159.155.88", - "10.198.157.122" + "10.198.157.122", + "10.221.223.127" ], "related.user": [ "iquipex" @@ -6035,10 +6489,17 @@ "equu7361.www5.localdomain" ], "related.ip": [ +<<<<<<< HEAD "10.30.20.187", "10.7.212.201", "10.189.70.237", "10.252.136.130" +======= + "10.189.70.237", + "10.252.136.130", + "10.30.20.187", + "10.7.212.201" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "ugiat" @@ -6171,9 +6632,15 @@ "uisnostr2390.mail.domain" ], "related.ip": [ +<<<<<<< HEAD "10.219.174.45", "10.17.20.93", "10.181.134.69", +======= + "10.17.20.93", + "10.181.134.69", + "10.219.174.45", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.251.167.219" ], "related.user": [ @@ -6239,6 +6706,11 @@ "luptate4811.mail.example" ], "related.ip": [ +<<<<<<< HEAD +======= + "10.223.99.90", + "10.28.233.253", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.30.117.82", "10.223.99.90", "10.37.14.20", @@ -6307,10 +6779,17 @@ "lites1614.www.corp" ], "related.ip": [ +<<<<<<< HEAD "10.8.32.17", "10.50.61.114", "10.125.20.22", "10.57.85.113" +======= + "10.125.20.22", + "10.50.61.114", + "10.57.85.113", + "10.8.32.17" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "qua" @@ -6375,9 +6854,15 @@ "lorinrep7686.mail.corp" ], "related.ip": [ +<<<<<<< HEAD "10.200.28.55", "10.181.63.82", "10.113.78.101", +======= + "10.113.78.101", + "10.181.63.82", + "10.200.28.55", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.215.224.27" ], "related.user": [ @@ -6444,8 +6929,13 @@ ], "related.ip": [ "10.139.20.223", +<<<<<<< HEAD "10.177.14.106", "10.169.95.128", +======= + "10.169.95.128", + "10.177.14.106", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.243.43.168" ], "related.user": [ @@ -6512,9 +7002,15 @@ ], "related.ip": [ "10.18.176.44", +<<<<<<< HEAD "10.92.168.198", "10.90.93.4", "10.39.100.88" +======= + "10.39.100.88", + "10.90.93.4", + "10.92.168.198" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "adminima" @@ -6579,9 +7075,15 @@ "essequam1161.domain" ], "related.ip": [ +<<<<<<< HEAD "10.193.43.135", "10.163.203.191", "10.173.13.179", +======= + "10.163.203.191", + "10.173.13.179", + "10.193.43.135", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.49.68.8" ], "related.user": [ @@ -6647,9 +7149,14 @@ ], "related.ip": [ "10.209.226.7", + "10.240.47.113", "10.31.147.51", +<<<<<<< HEAD "10.84.64.28", "10.240.47.113" +======= + "10.84.64.28" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "ull" @@ -6714,10 +7221,17 @@ "item3647.home" ], "related.ip": [ +<<<<<<< HEAD "10.86.1.244", "10.52.13.192", "10.225.189.229", "10.32.20.4" +======= + "10.225.189.229", + "10.32.20.4", + "10.52.13.192", + "10.86.1.244" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.user": [ "odtemp" diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 3cffcc89823..80ad809796d 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -21,8 +21,8 @@ "observer.vendor": "Fortinet", "process.pid": 7880, "related.hosts": [ - "litesse6379.api.domain", - "boNemoe4402.www.invalid" + "boNemoe4402.www.invalid", + "litesse6379.api.domain" ], "related.ip": [ "10.102.123.34", @@ -87,8 +87,8 @@ "olupt4880.api.home" ], "related.ip": [ - "10.33.212.159", - "10.149.203.46" + "10.149.203.46", + "10.33.212.159" ], "related.user": [ "mipsumq" @@ -145,12 +145,12 @@ "observer.vendor": "Fortinet", "process.pid": 445, "related.hosts": [ - "quis1130.internal.corp", - "aqu1628.internal.domain" + "aqu1628.internal.domain", + "quis1130.internal.corp" ], "related.ip": [ - "10.173.116.41", - "10.118.175.9" + "10.118.175.9", + "10.173.116.41" ], "related.user": [ "uame" @@ -397,8 +397,8 @@ "reetdolo2770.www5.local" ], "related.ip": [ - "10.214.225.125", - "10.12.44.169" + "10.12.44.169", + "10.214.225.125" ], "related.user": [ "erep" @@ -455,8 +455,8 @@ "observer.vendor": "Fortinet", "process.pid": 5037, "related.hosts": [ - "uovol492.www.localhost", - "isiu1114.internal.corp" + "isiu1114.internal.corp", + "uovol492.www.localhost" ], "related.ip": [ "10.198.136.50", @@ -644,8 +644,8 @@ "tatno6787.internal.localhost" ], "related.ip": [ - "10.65.83.160", - "10.136.252.240" + "10.136.252.240", + "10.65.83.160" ], "related.user": [ "ender" @@ -702,12 +702,12 @@ "observer.vendor": "Fortinet", "process.pid": 2703, "related.hosts": [ - "liq5883.localdomain", - "essecill2595.mail.local" + "essecill2595.mail.local", + "liq5883.localdomain" ], "related.ip": [ - "10.57.40.29", - "10.210.213.18" + "10.210.213.18", + "10.57.40.29" ], "related.user": [ "onse" @@ -763,8 +763,8 @@ "observer.vendor": "Fortinet", "process.pid": 5166, "related.hosts": [ - "rsint7026.test", - "ali6446.localhost" + "ali6446.localhost", + "rsint7026.test" ], "related.ip": [ "10.144.82.69", @@ -828,8 +828,8 @@ "torev7118.internal.domain" ], "related.ip": [ - "10.72.58.135", - "10.109.232.112" + "10.109.232.112", + "10.72.58.135" ], "related.user": [ "xea" @@ -886,12 +886,12 @@ "observer.vendor": "Fortinet", "process.pid": 1044, "related.hosts": [ - "luptat6494.www.example", - "dolore6103.www5.example" + "dolore6103.www5.example", + "luptat6494.www.example" ], "related.ip": [ - "10.72.29.73", - "10.38.22.45" + "10.38.22.45", + "10.72.29.73" ], "related.user": [ "onproide" @@ -948,8 +948,8 @@ "observer.vendor": "Fortinet", "process.pid": 7183, "related.hosts": [ - "moenimi6317.internal.invalid", - "errorsi6996.www.domain" + "errorsi6996.www.domain", + "moenimi6317.internal.invalid" ], "related.ip": [ "10.70.95.74", @@ -1010,8 +1010,8 @@ "observer.vendor": "Fortinet", "process.pid": 6907, "related.hosts": [ - "tion1761.home", - "lumquido5839.api.corp" + "lumquido5839.api.corp", + "tion1761.home" ], "related.ip": [ "10.19.201.13", @@ -1071,8 +1071,8 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.hosts": [ - "santium4235.api.local", - "aperia4409.www5.invalid" + "aperia4409.www5.invalid", + "santium4235.api.local" ], "related.ip": [ "10.78.151.178", @@ -1195,8 +1195,8 @@ "observer.vendor": "Fortinet", "process.pid": 6051, "related.hosts": [ - "equep5085.mail.domain", - "eme6710.mail.invalid" + "eme6710.mail.invalid", + "equep5085.mail.domain" ], "related.ip": [ "10.104.134.200", @@ -1261,8 +1261,8 @@ "ihilm1669.mail.invalid" ], "related.ip": [ - "10.225.160.182", - "10.191.105.82" + "10.191.105.82", + "10.225.160.182" ], "related.user": [ "eirure" @@ -1323,8 +1323,8 @@ "umexerci1284.internal.localdomain" ], "related.ip": [ - "10.161.57.8", - "10.141.44.153" + "10.141.44.153", + "10.161.57.8" ], "related.user": [ "quisnos" @@ -1381,8 +1381,8 @@ "observer.vendor": "Fortinet", "process.pid": 3365, "related.hosts": [ - "lit5929.test", - "adol485.example" + "adol485.example", + "lit5929.test" ], "related.ip": [ "10.153.111.103", @@ -1442,12 +1442,12 @@ "observer.vendor": "Fortinet", "process.pid": 1835, "related.hosts": [ - "oru6938.invalid", - "evita5008.www.localdomain" + "evita5008.www.localdomain", + "oru6938.invalid" ], "related.ip": [ - "10.248.204.182", - "10.134.148.219" + "10.134.148.219", + "10.248.204.182" ], "related.user": [ "uioffi" @@ -1626,12 +1626,12 @@ "observer.vendor": "Fortinet", "process.pid": 3022, "related.hosts": [ - "rumwritt6003.host", - "reme622.mail.example" + "reme622.mail.example", + "rumwritt6003.host" ], "related.ip": [ - "10.32.239.1", - "10.241.65.49" + "10.241.65.49", + "10.32.239.1" ], "related.user": [ "idata" @@ -1687,8 +1687,8 @@ "observer.vendor": "Fortinet", "process.pid": 2328, "related.hosts": [ - "xeacomm6855.api.corp", - "non3341.mail.invalid" + "non3341.mail.invalid", + "xeacomm6855.api.corp" ], "related.ip": [ "10.101.57.120", @@ -1753,8 +1753,8 @@ "ris727.api.local" ], "related.ip": [ - "10.14.211.43", - "10.130.14.60" + "10.130.14.60", + "10.14.211.43" ], "related.user": [ "litse" @@ -1873,8 +1873,8 @@ "observer.vendor": "Fortinet", "process.pid": 5651, "related.hosts": [ - "orem6702.invalid", - "etcons7378.api.lan" + "etcons7378.api.lan", + "orem6702.invalid" ], "related.ip": [ "10.111.187.12", @@ -1938,8 +1938,8 @@ "vita2681.www5.local" ], "related.ip": [ - "10.66.2.232", - "10.27.14.168" + "10.27.14.168", + "10.66.2.232" ], "related.user": [ "uirati" @@ -2058,12 +2058,12 @@ "observer.vendor": "Fortinet", "process.pid": 6945, "related.hosts": [ - "ptasn6599.www.localhost", - "lup2134.www.localhost" + "lup2134.www.localhost", + "ptasn6599.www.localhost" ], "related.ip": [ - "10.245.104.182", - "10.201.238.90" + "10.201.238.90", + "10.245.104.182" ], "related.user": [ "ovol" @@ -2124,8 +2124,8 @@ "tanimid3337.mail.corp" ], "related.ip": [ - "10.217.150.196", - "10.105.91.31" + "10.105.91.31", + "10.217.150.196" ], "related.user": [ "con" @@ -2181,8 +2181,8 @@ "observer.vendor": "Fortinet", "process.pid": 4153, "related.hosts": [ - "gitsedqu2649.mail.lan", - "eumiu765.api.lan" + "eumiu765.api.lan", + "gitsedqu2649.mail.lan" ], "related.ip": [ "10.184.18.202", @@ -2305,12 +2305,12 @@ "observer.vendor": "Fortinet", "process.pid": 337, "related.hosts": [ - "tut2703.www.host", - "idestlab2631.www.lan" + "idestlab2631.www.lan", + "tut2703.www.host" ], "related.ip": [ - "10.83.177.2", - "10.27.16.118" + "10.27.16.118", + "10.83.177.2" ], "related.user": [ "borios" @@ -2371,8 +2371,8 @@ "inesci6789.test" ], "related.ip": [ - "10.38.54.72", - "10.167.227.44" + "10.167.227.44", + "10.38.54.72" ], "related.user": [ "riamea" @@ -2428,8 +2428,8 @@ "observer.vendor": "Fortinet", "process.pid": 3854, "related.hosts": [ - "proide3714.mail.localdomain", - "ccaeca7077.internal.corp" + "ccaeca7077.internal.corp", + "proide3714.mail.localdomain" ], "related.ip": [ "10.216.54.184", @@ -2490,8 +2490,8 @@ "observer.vendor": "Fortinet", "process.pid": 55, "related.hosts": [ - "tot5313.mail.invalid", - "ima2031.api.corp" + "ima2031.api.corp", + "tot5313.mail.invalid" ], "related.ip": [ "10.9.12.248", @@ -2552,8 +2552,8 @@ "observer.vendor": "Fortinet", "process.pid": 228, "related.hosts": [ - "rumet3801.internal.domain", - "ian867.internal.corp" + "ian867.internal.corp", + "rumet3801.internal.domain" ], "related.ip": [ "10.41.123.102", @@ -2618,8 +2618,8 @@ "lorin4249.corp" ], "related.ip": [ - "10.80.152.108", - "10.175.112.197" + "10.175.112.197", + "10.80.152.108" ], "related.user": [ "tametcon" @@ -2676,8 +2676,8 @@ "observer.vendor": "Fortinet", "process.pid": 2200, "related.hosts": [ - "sequat7273.api.host", - "gnaaliqu3935.api.test" + "gnaaliqu3935.api.test", + "sequat7273.api.host" ], "related.ip": [ "10.134.18.114", @@ -2738,8 +2738,8 @@ "observer.vendor": "Fortinet", "process.pid": 5717, "related.hosts": [ - "uidol4575.localhost", - "nsequat1859.internal.localhost" + "nsequat1859.internal.localhost", + "uidol4575.localhost" ], "related.ip": [ "10.223.119.218", @@ -2923,12 +2923,12 @@ "observer.vendor": "Fortinet", "process.pid": 3624, "related.hosts": [ - "sequatD5469.www5.lan", - "rem7043.localhost" + "rem7043.localhost", + "sequatD5469.www5.lan" ], "related.ip": [ - "10.65.2.106", - "10.227.173.252" + "10.227.173.252", + "10.65.2.106" ], "related.user": [ "itation" @@ -2985,8 +2985,8 @@ "observer.vendor": "Fortinet", "process.pid": 1609, "related.hosts": [ - "item2738.test", - "emqu2846.internal.home" + "emqu2846.internal.home", + "item2738.test" ], "related.ip": [ "10.193.233.229", @@ -3046,12 +3046,12 @@ "observer.vendor": "Fortinet", "process.pid": 6248, "related.hosts": [ - "iosamnis1047.internal.localdomain", - "dqu6144.api.localhost" + "dqu6144.api.localhost", + "iosamnis1047.internal.localdomain" ], "related.ip": [ - "10.210.89.183", - "10.150.245.88" + "10.150.245.88", + "10.210.89.183" ], "related.user": [ "sequa" @@ -3108,12 +3108,12 @@ "observer.vendor": "Fortinet", "process.pid": 7224, "related.hosts": [ - "orroq6677.internal.example", - "giatquov1918.internal.example" + "giatquov1918.internal.example", + "orroq6677.internal.example" ], "related.ip": [ - "10.85.185.13", - "10.180.195.43" + "10.180.195.43", + "10.85.185.13" ], "related.user": [ "voluptas" @@ -3170,8 +3170,8 @@ "observer.vendor": "Fortinet", "process.pid": 430, "related.hosts": [ - "onevo4326.internal.local", - "estl5804.internal.local" + "estl5804.internal.local", + "onevo4326.internal.local" ], "related.ip": [ "10.210.28.247", @@ -3232,12 +3232,12 @@ "observer.vendor": "Fortinet", "process.pid": 3589, "related.hosts": [ - "itaedict7233.mail.localdomain", - "Sedut1775.www.domain" + "Sedut1775.www.domain", + "itaedict7233.mail.localdomain" ], "related.ip": [ - "10.86.11.48", - "10.248.165.185" + "10.248.165.185", + "10.86.11.48" ], "related.user": [ "dquiac" @@ -3294,8 +3294,8 @@ "observer.vendor": "Fortinet", "process.pid": 4814, "related.hosts": [ - "numquam5869.internal.example", - "mac7484.www5.test" + "mac7484.www5.test", + "numquam5869.internal.example" ], "related.ip": [ "10.118.6.177", @@ -3356,8 +3356,8 @@ "observer.vendor": "Fortinet", "process.pid": 276, "related.hosts": [ - "onu6137.api.home", - "oin1140.mail.localhost" + "oin1140.mail.localhost", + "onu6137.api.home" ], "related.ip": [ "10.60.142.127", @@ -3422,8 +3422,8 @@ "naaliq3710.api.local" ], "related.ip": [ - "10.28.82.189", - "10.120.10.211" + "10.120.10.211", + "10.28.82.189" ], "related.user": [ "rcit" @@ -3484,8 +3484,8 @@ "volupta3552.internal.localhost" ], "related.ip": [ - "10.6.38.163", - "10.31.237.225" + "10.31.237.225", + "10.6.38.163" ], "related.user": [ "olup" @@ -3728,12 +3728,12 @@ "observer.vendor": "Fortinet", "process.pid": 1586, "related.hosts": [ - "nreprehe715.api.home", - "minim459.mail.local" + "minim459.mail.local", + "nreprehe715.api.home" ], "related.ip": [ - "10.17.87.79", - "10.123.199.198" + "10.123.199.198", + "10.17.87.79" ], "related.user": [ "ratvolu" @@ -3790,8 +3790,8 @@ "observer.vendor": "Fortinet", "process.pid": 5137, "related.hosts": [ - "unte893.internal.host", - "eratv211.api.host" + "eratv211.api.host", + "unte893.internal.host" ], "related.ip": [ "10.115.68.40", @@ -3852,8 +3852,8 @@ "observer.vendor": "Fortinet", "process.pid": 5704, "related.hosts": [ - "aspe951.mail.domain", - "aparia1179.www.localdomain" + "aparia1179.www.localdomain", + "aspe951.mail.domain" ], "related.ip": [ "10.115.174.107", @@ -4038,12 +4038,12 @@ "observer.vendor": "Fortinet", "process.pid": 2465, "related.hosts": [ - "tiumto5834.api.lan", - "mag1506.internal.domain" + "mag1506.internal.domain", + "tiumto5834.api.lan" ], "related.ip": [ - "10.182.152.242", - "10.131.126.109" + "10.131.126.109", + "10.182.152.242" ], "related.user": [ "dolor" @@ -4100,8 +4100,8 @@ "observer.vendor": "Fortinet", "process.pid": 6064, "related.hosts": [ - "iutal6032.www.test", - "fugits1163.host" + "fugits1163.host", + "iutal6032.www.test" ], "related.ip": [ "10.77.229.168", @@ -4162,8 +4162,8 @@ "observer.vendor": "Fortinet", "process.pid": 2861, "related.hosts": [ - "inculp2078.host", - "gitse2463.www5.invalid" + "gitse2463.www5.invalid", + "inculp2078.host" ], "related.ip": [ "10.235.116.121", @@ -4227,8 +4227,8 @@ "temse6953.www.example" ], "related.ip": [ - "10.28.124.236", - "10.149.193.117" + "10.149.193.117", + "10.28.124.236" ], "related.user": [ "mullam" @@ -4285,8 +4285,8 @@ "observer.vendor": "Fortinet", "process.pid": 1710, "related.hosts": [ - "squira4455.api.domain", - "deriti6952.mail.domain" + "deriti6952.mail.domain", + "squira4455.api.domain" ], "related.ip": [ "10.34.131.224", @@ -4347,12 +4347,12 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.hosts": [ - "emveleum3661.localhost", - "abor1370.www.domain" + "abor1370.www.domain", + "emveleum3661.localhost" ], "related.ip": [ - "10.97.236.123", - "10.77.78.180" + "10.77.78.180", + "10.97.236.123" ], "related.user": [ "nisi" @@ -4408,8 +4408,8 @@ "observer.vendor": "Fortinet", "process.pid": 3421, "related.hosts": [ - "sedquiac6517.internal.localhost", - "emullamc5418.mail.test" + "emullamc5418.mail.test", + "sedquiac6517.internal.localhost" ], "related.ip": [ "10.82.133.66", @@ -4470,8 +4470,8 @@ "observer.vendor": "Fortinet", "process.pid": 4020, "related.hosts": [ - "veniam3148.www5.home", - "squirati7050.www5.lan" + "squirati7050.www5.lan", + "veniam3148.www5.home" ], "related.ip": [ "10.170.252.219", @@ -4656,12 +4656,12 @@ "observer.vendor": "Fortinet", "process.pid": 2442, "related.hosts": [ - "uaeabi3728.www5.invalid", - "gelitsed3249.corp" + "gelitsed3249.corp", + "uaeabi3728.www5.invalid" ], "related.ip": [ - "10.225.255.211", - "10.138.210.116" + "10.138.210.116", + "10.225.255.211" ], "related.user": [ "fugiatn" @@ -4718,8 +4718,8 @@ "observer.vendor": "Fortinet", "process.pid": 6311, "related.hosts": [ - "uamqu2804.test", - "dolor7082.internal.localhost" + "dolor7082.internal.localhost", + "uamqu2804.test" ], "related.ip": [ "10.250.81.189", @@ -4902,8 +4902,8 @@ "observer.vendor": "Fortinet", "process.pid": 3284, "related.hosts": [ - "stquidol239.www5.invalid", - "lup3313.api.home" + "lup3313.api.home", + "stquidol239.www5.invalid" ], "related.ip": [ "10.47.179.68", @@ -4964,8 +4964,8 @@ "observer.vendor": "Fortinet", "process.pid": 2314, "related.hosts": [ - "gia6531.mail.invalid", - "edq5397.www.test" + "edq5397.www.test", + "gia6531.mail.invalid" ], "related.ip": [ "10.221.206.74", @@ -5030,8 +5030,8 @@ "udan6536.www5.test" ], "related.ip": [ - "10.85.104.146", - "10.14.204.36" + "10.14.204.36", + "10.85.104.146" ], "related.user": [ "emp" @@ -5150,8 +5150,8 @@ "observer.vendor": "Fortinet", "process.pid": 4337, "related.hosts": [ - "santi837.api.domain", - "itse522.internal.localdomain" + "itse522.internal.localdomain", + "santi837.api.domain" ], "related.ip": [ "10.19.119.17", @@ -5212,12 +5212,12 @@ "observer.vendor": "Fortinet", "process.pid": 5275, "related.hosts": [ - "lpaquiof804.internal.invalid", - "amc3059.local" + "amc3059.local", + "lpaquiof804.internal.invalid" ], "related.ip": [ - "10.29.109.126", - "10.181.41.154" + "10.181.41.154", + "10.29.109.126" ], "related.user": [ "labo" @@ -5274,8 +5274,8 @@ "observer.vendor": "Fortinet", "process.pid": 2286, "related.hosts": [ - "nonn4478.host", - "enbyCi3813.api.domain" + "enbyCi3813.api.domain", + "nonn4478.host" ], "related.ip": [ "10.164.207.42", @@ -5397,8 +5397,8 @@ "observer.vendor": "Fortinet", "process.pid": 226, "related.hosts": [ - "orem6317.local", - "isn3991.local" + "isn3991.local", + "orem6317.local" ], "related.ip": [ "10.103.189.199", @@ -5458,8 +5458,8 @@ "observer.vendor": "Fortinet", "process.pid": 4691, "related.hosts": [ - "velill3230.www.corp", - "iumtotam1010.www5.corp" + "iumtotam1010.www5.corp", + "velill3230.www.corp" ], "related.ip": [ "10.133.254.23", @@ -5520,12 +5520,12 @@ "observer.vendor": "Fortinet", "process.pid": 5647, "related.hosts": [ - "orumS757.www5.corp", - "onsecte91.www5.localdomain" + "onsecte91.www5.localdomain", + "orumS757.www5.corp" ], "related.ip": [ - "10.91.2.135", - "10.126.245.73" + "10.126.245.73", + "10.91.2.135" ], "related.user": [ "olore" @@ -5582,8 +5582,8 @@ "observer.vendor": "Fortinet", "process.pid": 2313, "related.hosts": [ - "emi4534.www.localdomain", - "abori7686.internal.host" + "abori7686.internal.host", + "emi4534.www.localdomain" ], "related.ip": [ "10.137.85.123", @@ -5648,8 +5648,8 @@ "reprehen3513.test" ], "related.ip": [ - "10.61.225.196", - "10.10.86.55" + "10.10.86.55", + "10.61.225.196" ], "related.user": [ "eniamqu" @@ -5710,8 +5710,8 @@ "orroquis284.api.domain" ], "related.ip": [ - "10.79.73.195", - "10.125.143.153" + "10.125.143.153", + "10.79.73.195" ], "related.user": [ "emip" @@ -5830,8 +5830,8 @@ "observer.vendor": "Fortinet", "process.pid": 4474, "related.hosts": [ - "siarc6339.internal.corp", - "rumSecti111.www5.domain" + "rumSecti111.www5.domain", + "siarc6339.internal.corp" ], "related.ip": [ "10.222.245.80", @@ -5892,8 +5892,8 @@ "observer.vendor": "Fortinet", "process.pid": 4855, "related.hosts": [ - "ptatev6552.www.test", - "olores7881.local" + "olores7881.local", + "ptatev6552.www.test" ], "related.ip": [ "10.143.53.214", @@ -6020,8 +6020,8 @@ "uptasnul2751.www5.corp" ], "related.ip": [ - "10.194.67.223", - "10.161.64.168" + "10.161.64.168", + "10.194.67.223" ], "related.user": [ "tion" @@ -6077,12 +6077,12 @@ "observer.vendor": "Fortinet", "process.pid": 6094, "related.hosts": [ - "xercit7649.www5.home", - "upt6017.api.localdomain" + "upt6017.api.localdomain", + "xercit7649.www5.home" ], "related.ip": [ - "10.120.148.241", - "10.100.154.220" + "10.100.154.220", + "10.120.148.241" ], "related.user": [ "rsitam" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 172748796d1..bc14c10457b 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -402,8 +402,8 @@ "event.start": "2020-04-18T12:17:29.360-05:00", "event.timezone": "-0500", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "firewall", "fortinet.firewall.action": "pass", @@ -461,8 +461,8 @@ "dns.question.name": "elastic.example.com", "dns.question.type": "A", "dns.resolved_ip": [ - "8.8.8.8", - "8.8.4.4" + "8.8.4.4", + "8.8.8.8" ], "event.action": "dns-response", "event.category": [ @@ -476,8 +476,8 @@ "event.start": "2020-04-18T12:17:29.360-05:00", "event.timezone": "-0500", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "firewall", "fortinet.firewall.action": "pass", @@ -506,8 +506,8 @@ ], "related.ip": [ "192.168.2.1", - "8.8.8.8", - "8.8.4.4" + "8.8.4.4", + "8.8.8.8" ], "rule.category": "Web-based Email", "rule.id": "26", @@ -624,8 +624,8 @@ "event.start": "2020-04-18T12:17:04.712-05:00", "event.timezone": "-0500", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "firewall", "fortinet.firewall.action": "pass", @@ -810,8 +810,8 @@ "event.start": "2020-04-18T12:32:48.439-05:00", "event.timezone": "-0500", "event.type": [ - "user", - "start" + "start", + "user" ], "fileset.name": "firewall", "fortinet.firewall.action": "FSSO-logon", @@ -887,8 +887,8 @@ "observer.type": "firewall", "observer.vendor": "Fortinet", "related.ip": [ - "8.8.8.8", - "8.8.4.4" + "8.8.4.4", + "8.8.8.8" ], "rule.description": "IPsec phase 1 error", "service.type": "fortinet", @@ -955,8 +955,8 @@ "observer.type": "firewall", "observer.vendor": "Fortinet", "related.ip": [ - "9.9.9.9", - "8.4.5.4" + "8.4.5.4", + "9.9.9.9" ], "rule.description": "Progress IPsec phase 1", "service.type": "fortinet", @@ -1032,8 +1032,8 @@ "event.start": "2020-04-18T12:32:10.109-05:00", "event.timezone": "-0500", "event.type": [ - "user", - "start" + "start", + "user" ], "fileset.name": "firewall", "fortinet.firewall.action": "auth-logon", @@ -1318,8 +1318,8 @@ "event.start": "2020-04-18T14:16:44.674-03:00", "event.timezone": "-0300", "event.type": [ - "user", - "end" + "end", + "user" ], "fileset.name": "firewall", "fortinet.firewall.action": "FSSO-logoff", @@ -1435,9 +1435,9 @@ "event.start": "2020-04-18T12:14:09.761-05:00", "event.timezone": "-0500", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "firewall", "fortinet.firewall.action": "dns", @@ -1507,9 +1507,9 @@ "event.start": "2020-04-18T12:11:51.390-05:00", "event.timezone": "-0500", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "firewall", "fortinet.firewall.action": "accept", @@ -1596,10 +1596,10 @@ "event.start": "2020-04-18T12:11:48.751-05:00", "event.timezone": "-0500", "event.type": [ + "allowed", "connection", "end", - "protocol", - "allowed" + "protocol" ], "fileset.name": "firewall", "fortinet.firewall.action": "accept", @@ -1674,10 +1674,10 @@ "event.start": "2020-04-18T13:10:57.509-04:00", "event.timezone": "-0400", "event.type": [ + "allowed", "connection", "end", - "protocol", - "allowed" + "protocol" ], "fileset.name": "firewall", "fortinet.firewall.action": "accept", @@ -1707,8 +1707,8 @@ "observer.type": "firewall", "observer.vendor": "Fortinet", "related.ip": [ - "9.7.7.7", - "8.8.8.8" + "8.8.8.8", + "9.7.7.7" ], "rule.category": "unscanned", "rule.id": "0", @@ -1743,9 +1743,9 @@ "event.start": "2020-04-18T12:14:39.841-05:00", "event.timezone": "-0500", "event.type": [ + "allowed", "connection", - "end", - "allowed" + "end" ], "fileset.name": "firewall", "fortinet.firewall.action": "ip-conn", @@ -1821,9 +1821,9 @@ "event.timezone": "-0500", "event.type": [ "connection", + "denied", "end", - "protocol", - "denied" + "protocol" ], "fileset.name": "firewall", "fortinet.firewall.action": "close", diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json index 75a2fbfe347..c61923da5a9 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json @@ -1011,8 +1011,8 @@ "lapariat7287.internal.host" ], "related.ip": [ - "10.68.246.187", - "10.140.7.83" + "10.140.7.83", + "10.68.246.187" ], "rsa.email.email_dst": "gna", "rsa.email.email_src": "icabo", @@ -2684,8 +2684,8 @@ "taevit4968.mail.local" ], "related.ip": [ - "10.62.61.1", - "10.144.111.42" + "10.144.111.42", + "10.62.61.1" ], "rsa.email.email_dst": "com", "rsa.email.email_src": "lam", @@ -3131,8 +3131,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.hosts": [ - "taevitae6868.www.corp", - "modi6930.internal.test" + "modi6930.internal.test", + "taevitae6868.www.corp" ], "related.ip": [ "10.161.1.146", @@ -3239,8 +3239,8 @@ "uradip7802.mail.example" ], "related.ip": [ - "10.93.239.216", - "10.44.35.57" + "10.44.35.57", + "10.93.239.216" ], "rsa.email.email_dst": "ciun", "rsa.email.email_src": "vento", @@ -3845,8 +3845,8 @@ "ncu3839.www.localhost" ], "related.ip": [ - "10.251.183.113", - "10.201.105.58" + "10.201.105.58", + "10.251.183.113" ], "rsa.email.email_dst": "ionemu", "rsa.email.email_src": "ent", diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json index 8006c3293b3..81542059638 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -28,9 +28,15 @@ "modtempo" ], "related.ip": [ +<<<<<<< HEAD "10.20.234.169", "10.44.173.44", "10.189.58.145" +======= + "10.189.58.145", + "10.20.234.169", + "10.44.173.44" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -94,9 +100,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.410", "related.hosts": [ + "aer445.host", "mvolu", - "pisciv", - "aer445.host" + "pisciv" ], "related.ip": [ "10.171.204.166", @@ -161,8 +167,8 @@ "url.original": "https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS", "url.path": "/orisn/cca.htm", "url.query": [ - "taspe", - "ofdeF=metcons" + "ofdeF=metcons", + "taspe" ], "url.scheme": "https", "user.name": "oluptas" @@ -196,9 +202,9 @@ "ccaecat" ], "related.ip": [ - "10.94.103.117", + "10.15.159.80", "10.200.188.142", - "10.15.159.80" + "10.94.103.117" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -263,9 +269,15 @@ "lorem" ], "related.ip": [ +<<<<<<< HEAD "10.50.112.141", "10.27.88.95", "10.131.233.27" +======= + "10.131.233.27", + "10.27.88.95", + "10.50.112.141" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -331,8 +343,13 @@ "observer.version": "1.5670", "related.hosts": [ "ntutl", +<<<<<<< HEAD "roinBCSe", "olo7148.mail.home" +======= + "olo7148.mail.home", + "roinBCSe" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.87.212.179", @@ -346,8 +363,8 @@ "rsa.investigations.event_vcat": "aveniam", "rsa.misc.OS": "oll", "rsa.misc.action": [ - "allow", - "ali" + "ali", + "allow" ], "rsa.misc.category": "emeumfug", "rsa.misc.client": "caecatc", @@ -397,8 +414,8 @@ "url.original": "https://api.example.com/iumto/aboreetd.gif?dun=enim#saute", "url.path": "/iumto/aboreetd.gif", "url.query": [ - "nsect", - "dun=enim" + "dun=enim", + "nsect" ], "url.scheme": "https", "user.name": "rveli" @@ -431,9 +448,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.152", "related.hosts": [ + "agna7678.internal.host", "onse", - "orain", - "agna7678.internal.host" + "orain" ], "related.ip": [ "10.114.150.67", @@ -532,9 +549,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.4059", "related.hosts": [ + "equep5085.mail.domain", "tatn", - "utla", - "equep5085.mail.domain" + "utla" ], "related.ip": [ "10.195.36.51", @@ -548,8 +565,8 @@ "rsa.investigations.event_vcat": "quae", "rsa.misc.OS": "qui", "rsa.misc.action": [ - "iadese", - "accept" + "accept", + "iadese" ], "rsa.misc.category": "aturve", "rsa.misc.client": "utei", @@ -599,8 +616,8 @@ "url.original": "https://www.example.org/inesci/serror.html?mqu=apariat#tlabore", "url.path": "/inesci/serror.html", "url.query": [ - "nsectet", - "mqu=apariat" + "mqu=apariat", + "nsectet" ], "url.scheme": "https", "user.name": "nnum" @@ -700,13 +717,19 @@ "observer.vendor": "Fortinet", "observer.version": "1.3917", "related.hosts": [ +<<<<<<< HEAD "gnido", "sperna", "eturadi6608.mail.host" +======= + "eturadi6608.mail.host", + "gnido", + "sperna" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ - "10.61.163.4", - "10.23.62.94" + "10.23.62.94", + "10.61.163.4" ], "related.user": [ "non" @@ -801,13 +824,19 @@ "observer.vendor": "Fortinet", "observer.version": "1.2580", "related.hosts": [ +<<<<<<< HEAD "tani", "ecte", "ipsumdol4488.api.localdomain" +======= + "ecte", + "ipsumdol4488.api.localdomain", + "tani" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ - "10.28.76.42", - "10.106.31.86" + "10.106.31.86", + "10.28.76.42" ], "related.user": [ "cons" @@ -904,8 +933,13 @@ ], "related.ip": [ "10.106.162.153", +<<<<<<< HEAD "10.58.214.16", "10.238.164.74" +======= + "10.238.164.74", + "10.58.214.16" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -972,6 +1006,10 @@ "related.ip": [ "10.217.150.196", "10.110.31.190", +<<<<<<< HEAD +======= + "10.217.150.196", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.225.141.20" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -1037,8 +1075,13 @@ "observer.version": "1.3319", "related.hosts": [ "amc", +<<<<<<< HEAD "mestq", "cusant4946.www.domain" +======= + "cusant4946.www.domain", + "mestq" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.137.56.173", @@ -1103,8 +1146,8 @@ "url.original": "https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi", "url.path": "/isnostr/umqu.htm", "url.query": [ - "uptate", - "emquia=inesci" + "emquia=inesci", + "uptate" ], "url.scheme": "https", "user.name": "proide" @@ -1138,9 +1181,9 @@ "onsecte" ], "related.ip": [ + "10.25.212.118", "10.30.47.165", - "10.5.235.217", - "10.25.212.118" + "10.5.235.217" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1204,13 +1247,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.225", "related.hosts": [ + "ccaeca5504.internal.example", "equaturv", - "tvolu", - "ccaeca5504.internal.example" + "tvolu" ], "related.ip": [ - "10.40.152.253", - "10.149.13.76" + "10.149.13.76", + "10.40.152.253" ], "related.user": [ "tetur" @@ -1220,8 +1263,8 @@ "rsa.investigations.event_vcat": "psumqu", "rsa.misc.OS": "oraincid", "rsa.misc.action": [ - "ritt", - "deny" + "deny", + "ritt" ], "rsa.misc.category": "idunt", "rsa.misc.client": "siu", @@ -1306,9 +1349,15 @@ "xea" ], "related.ip": [ +<<<<<<< HEAD "10.51.213.42", "10.98.194.212", "10.233.120.207" +======= + "10.233.120.207", + "10.51.213.42", + "10.98.194.212" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1440,12 +1489,17 @@ "observer.version": "1.1847", "related.hosts": [ "cingel", +<<<<<<< HEAD "uii", "tore7088.www.invalid" +======= + "tore7088.www.invalid", + "uii" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ - "10.212.214.4", - "10.199.47.220" + "10.199.47.220", + "10.212.214.4" ], "related.user": [ "atv" @@ -1541,12 +1595,17 @@ "observer.version": "1.760", "related.hosts": [ "dolorsit", +<<<<<<< HEAD "rcit", "mve1890.internal.home" +======= + "mve1890.internal.home", + "rcit" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ - "10.46.56.204", - "10.234.165.130" + "10.234.165.130", + "10.46.56.204" ], "related.user": [ "orese" @@ -1607,8 +1666,8 @@ "url.original": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", "url.path": "/redol/gnaa.htm", "url.query": [ - "quames", - "aliquamq=dtempori" + "aliquamq=dtempori", + "quames" ], "url.scheme": "https", "user.name": "orese" @@ -1642,8 +1701,8 @@ "observer.version": "1.4450", "related.hosts": [ "billoi", - "saquaea", - "eturad6143.www.home" + "eturad6143.www.home", + "saquaea" ], "related.ip": [ "10.128.46.70", @@ -1809,8 +1868,8 @@ "url.original": "https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih", "url.path": "/tali/BCS.txt", "url.query": [ - "quiineav", - "iqu=niamqu" + "iqu=niamqu", + "quiineav" ], "url.scheme": "https", "user.name": "inculp" @@ -1945,8 +2004,8 @@ "observer.version": "1.5380", "related.hosts": [ "onse", - "uei", - "reseosqu1629.mail.lan" + "reseosqu1629.mail.lan", + "uei" ], "related.ip": [ "10.106.85.174", @@ -1960,8 +2019,8 @@ "rsa.investigations.event_vcat": "snostrum", "rsa.misc.OS": "tiaecon", "rsa.misc.action": [ - "cancel", - "atiset" + "atiset", + "cancel" ], "rsa.misc.category": "ehende", "rsa.misc.client": "umquam", @@ -2047,8 +2106,12 @@ "oluptat" ], "related.ip": [ + "10.117.63.181", "10.168.20.20", +<<<<<<< HEAD "10.117.63.181", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.247.53.179" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2216,9 +2279,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.3402", "related.hosts": [ +<<<<<<< HEAD "tur", "imavenia", "bore5546.www.local" +======= + "bore5546.www.local", + "imavenia", + "tur" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.44.198.184", @@ -2317,9 +2386,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.91", "related.hosts": [ - "amquisno", "Dui", - "Utenima260.mail.invalid" + "Utenima260.mail.invalid", + "amquisno" ], "related.ip": [ "10.151.170.207", @@ -2384,8 +2453,8 @@ "url.original": "https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque", "url.path": "/orio/gna.gif", "url.query": [ - "tatio", - "aaliquaU=olu" + "aaliquaU=olu", + "tatio" ], "url.scheme": "https", "user.name": "iosamni" @@ -2423,8 +2492,8 @@ "uido2046.mail.lan" ], "related.ip": [ - "10.70.7.23", - "10.130.240.11" + "10.130.240.11", + "10.70.7.23" ], "related.user": [ "eavolup" @@ -2485,8 +2554,8 @@ "url.original": "https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota", "url.path": "/nimadmin/lumqui.txt", "url.query": [ - "iuta", - "iquip=tinculpa" + "iquip=tinculpa", + "iuta" ], "url.scheme": "https", "user.name": "eavolup" @@ -2520,9 +2589,15 @@ "uio" ], "related.ip": [ +<<<<<<< HEAD "10.37.161.101", "10.111.182.212", "10.17.209.252" +======= + "10.111.182.212", + "10.17.209.252", + "10.37.161.101" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2587,9 +2662,15 @@ "itautfu" ], "related.ip": [ +<<<<<<< HEAD "10.158.175.98", "10.170.196.181", "10.153.166.133" +======= + "10.153.166.133", + "10.158.175.98", + "10.170.196.181" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2653,9 +2734,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.5978", "related.hosts": [ + "con6049.internal.lan", "porissu", - "tuser", - "con6049.internal.lan" + "tuser" ], "related.ip": [ "10.63.171.91", @@ -2669,8 +2750,8 @@ "rsa.investigations.event_vcat": "enimad", "rsa.misc.OS": "olor", "rsa.misc.action": [ - "nse", - "accept" + "accept", + "nse" ], "rsa.misc.category": "conseq", "rsa.misc.client": "mmo", @@ -2720,8 +2801,8 @@ "url.original": "https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn", "url.path": "/temse/caecat.jpg", "url.query": [ - "mveniam", - "emeu=tatemac" + "emeu=tatemac", + "mveniam" ], "url.scheme": "https", "user.name": "usanti" @@ -2755,8 +2836,12 @@ "iam" ], "related.ip": [ + "10.174.17.46", "10.38.168.190", +<<<<<<< HEAD "10.174.17.46", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.77.105.81" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2822,9 +2907,15 @@ "ons" ], "related.ip": [ +<<<<<<< HEAD "10.36.99.207", "10.166.142.198", "10.225.37.73" +======= + "10.166.142.198", + "10.225.37.73", + "10.36.99.207" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2889,9 +2980,15 @@ "eturadip" ], "related.ip": [ +<<<<<<< HEAD "10.66.90.225", "10.214.156.161", "10.145.194.12" +======= + "10.145.194.12", + "10.214.156.161", + "10.66.90.225" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2956,9 +3053,9 @@ "iutal" ], "related.ip": [ - "10.6.242.108", "10.156.208.5", - "10.163.36.101" + "10.163.36.101", + "10.6.242.108" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3089,8 +3186,8 @@ "url.original": "https://www5.example.com/elit/sam.htm?nevolu=unt#isni", "url.path": "/elit/sam.htm", "url.query": [ - "onoru", - "nevolu=unt" + "nevolu=unt", + "onoru" ], "url.scheme": "https", "user.name": "estiaec" @@ -3123,9 +3220,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.4481", "related.hosts": [ +<<<<<<< HEAD "naaliq", "trudex", "itaspe3216.localdomain" +======= + "itaspe3216.localdomain", + "naaliq", + "trudex" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.94.177.125", @@ -3190,8 +3293,8 @@ "url.original": "https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru", "url.path": "/porro/issu.htm", "url.query": [ - "olorsit", - "inculpa=ruredol" + "inculpa=ruredol", + "olorsit" ], "url.scheme": "https", "user.name": "ecatc" @@ -3226,8 +3329,8 @@ "observer.version": "1.4442", "related.hosts": [ "fugi", - "uae", - "mea6298.api.example" + "mea6298.api.example", + "uae" ], "related.ip": [ "10.115.121.243", @@ -3292,8 +3395,8 @@ "url.original": "https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl", "url.path": "/uamquaer/texplica.gif", "url.query": [ - "udexerci", - "sequa=lorum" + "sequa=lorum", + "udexerci" ], "url.scheme": "https", "user.name": "norumetM" @@ -3327,12 +3430,17 @@ "observer.version": "1.3804", "related.hosts": [ "atcupi", +<<<<<<< HEAD "nder", "iqu7510.internal.corp" +======= + "iqu7510.internal.corp", + "nder" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ - "10.49.82.45", - "10.179.153.97" + "10.179.153.97", + "10.49.82.45" ], "related.user": [ "dictasun" @@ -3428,9 +3536,15 @@ "lors" ], "related.ip": [ +<<<<<<< HEAD "10.99.55.115", "10.205.83.138", "10.98.52.184" +======= + "10.205.83.138", + "10.98.52.184", + "10.99.55.115" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3548,8 +3662,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.hosts": [ - "ntoccae2859.www.test", - "moll" + "moll", + "ntoccae2859.www.test" ], "related.user": [ "cteturad" @@ -3608,13 +3722,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.7318", "related.hosts": [ + "deFinibu3940.internal.lan", "ptat", - "umdol", - "deFinibu3940.internal.lan" + "umdol" ], "related.ip": [ - "10.22.248.52", - "10.124.71.88" + "10.124.71.88", + "10.22.248.52" ], "related.user": [ "tcons" @@ -3675,8 +3789,8 @@ "url.original": "https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun", "url.path": "/etcon/chit.txt", "url.query": [ - "tinvolu", - "erspici=itinvolu" + "erspici=itinvolu", + "tinvolu" ], "url.scheme": "https", "user.name": "tcons" @@ -3725,8 +3839,8 @@ "rsa.investigations.event_vcat": "iae", "rsa.misc.OS": "evelite", "rsa.misc.action": [ - "essequam", - "block" + "block", + "essequam" ], "rsa.misc.category": "tmollita", "rsa.misc.client": "uiinea", @@ -3776,8 +3890,8 @@ "url.original": "https://api.example.org/fug/liquid.txt?ptate=lloi#nseq", "url.path": "/fug/liquid.txt", "url.query": [ - "undeo", - "ptate=lloi" + "ptate=lloi", + "undeo" ], "url.scheme": "https", "user.name": "eumiure" @@ -3811,9 +3925,15 @@ "teni" ], "related.ip": [ +<<<<<<< HEAD "10.250.231.196", "10.14.145.107", "10.200.12.126" +======= + "10.14.145.107", + "10.200.12.126", + "10.250.231.196" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3878,9 +3998,15 @@ "atuse" ], "related.ip": [ +<<<<<<< HEAD "10.225.34.176", "10.103.36.192", "10.21.203.112" +======= + "10.103.36.192", + "10.21.203.112", + "10.225.34.176" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4012,8 +4138,8 @@ "observer.version": "1.4493", "related.hosts": [ "labor", - "veleumiu", - "nimadmi4084.api.home" + "nimadmi4084.api.home", + "veleumiu" ], "related.ip": [ "10.28.212.191", @@ -4112,13 +4238,19 @@ "observer.vendor": "Fortinet", "observer.version": "1.6506", "related.hosts": [ +<<<<<<< HEAD "sedqui", "ecillum", "reprehe3525.www5.example" +======= + "ecillum", + "reprehe3525.www5.example", + "sedqui" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ - "10.148.197.60", - "10.143.144.52" + "10.143.144.52", + "10.148.197.60" ], "related.user": [ "rporis" @@ -4179,8 +4311,8 @@ "url.original": "https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel", "url.path": "/mvele/teveli.htm", "url.query": [ - "lab", - "Nequepor=luptate" + "Nequepor=luptate", + "lab" ], "url.scheme": "https", "user.name": "rporis" @@ -4282,8 +4414,13 @@ ], "related.ip": [ "10.183.16.252", +<<<<<<< HEAD "10.51.60.203", "10.203.66.175" +======= + "10.203.66.175", + "10.51.60.203" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4449,8 +4586,13 @@ "observer.version": "1.5475", "related.hosts": [ "antium", +<<<<<<< HEAD "rcita", "ididunt7607.mail.localhost" +======= + "ididunt7607.mail.localhost", + "rcita" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.217.111.77", @@ -4549,9 +4691,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.142", "related.hosts": [ - "rsita", + "mco2906.domain", "ommodoco", - "mco2906.domain" + "rsita" ], "related.ip": [ "10.86.152.227", @@ -4616,8 +4758,8 @@ "url.original": "https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav", "url.path": "/iadolo/cidu.txt", "url.query": [ - "tiu", - "aliquide=redolori" + "aliquide=redolori", + "tiu" ], "url.scheme": "https", "user.name": "msequin" @@ -4651,8 +4793,13 @@ "observer.version": "1.1789", "related.hosts": [ "dol", +<<<<<<< HEAD "ono", "ntex5135.corp" +======= + "ntex5135.corp", + "ono" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.234.171.117", @@ -4666,8 +4813,8 @@ "rsa.investigations.event_vcat": "uia", "rsa.misc.OS": "mquae", "rsa.misc.action": [ - "tenatus", - "deny" + "deny", + "tenatus" ], "rsa.misc.category": "abo", "rsa.misc.client": "umtota", @@ -4717,8 +4864,8 @@ "url.original": "https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd", "url.path": "/isc/umdol.jpg", "url.query": [ - "odic", - "atn=sectet" + "atn=sectet", + "odic" ], "url.scheme": "https", "user.name": "tat" @@ -4753,9 +4900,9 @@ "nonnumq" ], "related.ip": [ + "10.107.168.208", "10.249.16.201", - "10.34.41.75", - "10.107.168.208" + "10.34.41.75" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4819,13 +4966,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.6905", "related.hosts": [ - "rveli", "aaliq", + "rveli", "tat1845.internal.invalid" ], "related.ip": [ - "10.96.168.24", - "10.109.106.194" + "10.109.106.194", + "10.96.168.24" ], "related.user": [ "ommodoc" @@ -4886,8 +5033,8 @@ "url.original": "https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat", "url.path": "/imadm/ugiat.txt", "url.query": [ - "stiaec", - "Nequepor=nisiu" + "Nequepor=nisiu", + "stiaec" ], "url.scheme": "https", "user.name": "ommodoc" @@ -5222,8 +5369,8 @@ "url.original": "https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi", "url.path": "/asuntex/uovolup.html", "url.query": [ - "eriti", - "amali=uiav" + "amali=uiav", + "eriti" ], "url.scheme": "https", "user.name": "urmag" @@ -5323,8 +5470,8 @@ "url.original": "https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve", "url.path": "/mnisiut/porinci.htm", "url.query": [ - "texplica", - "norum=emUten" + "norum=emUten", + "texplica" ], "url.scheme": "https", "user.name": "lpaquiof" @@ -5358,9 +5505,15 @@ "cons" ], "related.ip": [ +<<<<<<< HEAD "10.246.41.77", "10.228.61.5", "10.157.22.21" +======= + "10.157.22.21", + "10.228.61.5", + "10.246.41.77" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5558,8 +5711,8 @@ "url.original": "https://api.example.net/nsec/smo.gif?etq=trumexe#rai", "url.path": "/nsec/smo.gif", "url.query": [ - "ipsu", - "etq=trumexe" + "etq=trumexe", + "ipsu" ], "url.scheme": "https", "user.name": "ainci" @@ -5640,12 +5793,12 @@ "observer.version": "1.4342", "related.hosts": [ "onsequ", - "ten", - "riaturE1644.www5.example" + "riaturE1644.www5.example", + "ten" ], "related.ip": [ - "10.215.144.167", - "10.162.114.52" + "10.162.114.52", + "10.215.144.167" ], "related.user": [ "erspici" @@ -5655,8 +5808,8 @@ "rsa.investigations.event_vcat": "empori", "rsa.misc.OS": "ostru", "rsa.misc.action": [ - "quepor", - "allow" + "allow", + "quepor" ], "rsa.misc.category": "cipitla", "rsa.misc.client": "exeacomm", @@ -5740,9 +5893,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.6452", "related.hosts": [ +<<<<<<< HEAD "tem", "cons", "mdolo7008.api.corp" +======= + "cons", + "mdolo7008.api.corp", + "tem" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.162.128.87", @@ -5910,8 +6069,13 @@ ], "related.ip": [ "10.154.151.111", +<<<<<<< HEAD "10.7.230.206", "10.249.93.150" +======= + "10.249.93.150", + "10.7.230.206" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5975,9 +6139,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.5718", "related.hosts": [ +<<<<<<< HEAD "quirat", "ptatem", "itse5466.api.example" +======= + "itse5466.api.example", + "ptatem", + "quirat" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.26.4.3", @@ -6076,9 +6246,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.6603", "related.hosts": [ +<<<<<<< HEAD "eac", "ssuscipi", "dquiac6194.api.lan" +======= + "dquiac6194.api.lan", + "eac", + "ssuscipi" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.180.162.174", @@ -6177,9 +6353,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.2052", "related.hosts": [ + "amco1592.mail.host", "asp", - "dat", - "amco1592.mail.host" + "dat" ], "related.ip": [ "10.110.99.222", @@ -6244,8 +6420,8 @@ "url.original": "https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata", "url.path": "/ssusci/snostrud.txt", "url.query": [ - "ptat", - "dolo=siutaliq" + "dolo=siutaliq", + "ptat" ], "url.scheme": "https", "user.name": "moenimi" @@ -6278,9 +6454,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.2691", "related.hosts": [ +<<<<<<< HEAD "orroqu", "ratio", "dicta7226.mail.example" +======= + "dicta7226.mail.example", + "orroqu", + "ratio" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.4.244.115", @@ -6380,9 +6562,15 @@ "eleumiu" ], "related.ip": [ +<<<<<<< HEAD "10.236.211.111", "10.120.212.78", "10.221.100.157" +======= + "10.120.212.78", + "10.221.100.157", + "10.236.211.111" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6446,9 +6634,9 @@ "observer.vendor": "Fortinet", "observer.version": "1.3052", "related.hosts": [ + "pidatatn2627.www.localdomain", "tenima", - "xeacom", - "pidatatn2627.www.localdomain" + "xeacom" ], "related.ip": [ "10.210.82.202", @@ -6548,9 +6736,15 @@ "nimides" ], "related.ip": [ +<<<<<<< HEAD "10.226.255.3", "10.53.251.202", "10.123.59.69" +======= + "10.123.59.69", + "10.226.255.3", + "10.53.251.202" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6681,13 +6875,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.95", "related.hosts": [ - "inculp", "Utenimad", - "emveleu4029.api.local" + "emveleu4029.api.local", + "inculp" ], "related.ip": [ - "10.236.175.163", - "10.126.11.186" + "10.126.11.186", + "10.236.175.163" ], "related.user": [ "udantiu" @@ -6783,9 +6977,15 @@ "mes" ], "related.ip": [ +<<<<<<< HEAD "10.83.98.220", "10.11.150.136", "10.171.60.173" +======= + "10.11.150.136", + "10.171.60.173", + "10.83.98.220" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6850,9 +7050,15 @@ "datatno" ], "related.ip": [ +<<<<<<< HEAD "10.92.3.166", "10.238.49.73", "10.74.88.209" +======= + "10.238.49.73", + "10.74.88.209", + "10.92.3.166" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6985,8 +7191,13 @@ ], "related.ip": [ "10.135.213.17", +<<<<<<< HEAD "10.30.239.222", "10.167.128.229" +======= + "10.167.128.229", + "10.30.239.222" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7117,8 +7328,8 @@ "url.original": "https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce", "url.path": "/ita/esse.txt", "url.query": [ - "ididun", - "amquis=iatquovo" + "amquis=iatquovo", + "ididun" ], "url.scheme": "https", "user.name": "emq" @@ -7218,8 +7429,8 @@ "url.original": "https://www5.example.net/culpa/isun.txt?cola=tura#rat", "url.path": "/culpa/isun.txt", "url.query": [ - "orumwrit", - "cola=tura" + "cola=tura", + "orumwrit" ], "url.scheme": "https", "user.name": "caecatcu" @@ -7253,9 +7464,15 @@ "emaperi" ], "related.ip": [ +<<<<<<< HEAD "10.35.240.70", "10.53.82.96", "10.224.212.88" +======= + "10.224.212.88", + "10.35.240.70", + "10.53.82.96" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7320,9 +7537,15 @@ "oeius" ], "related.ip": [ +<<<<<<< HEAD "10.66.149.234", "10.233.128.7", "10.186.253.240" +======= + "10.186.253.240", + "10.233.128.7", + "10.66.149.234" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7388,8 +7611,8 @@ ], "related.ip": [ "10.173.140.201", - "10.46.11.114", - "10.227.133.134" + "10.227.133.134", + "10.46.11.114" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7455,8 +7678,13 @@ ], "related.ip": [ "10.170.236.123", +<<<<<<< HEAD "10.69.130.207", "10.205.18.11" +======= + "10.205.18.11", + "10.69.130.207" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7587,8 +7815,8 @@ "url.original": "https://example.com/loremag/mqu.gif?bore=lapari#aborios", "url.path": "/loremag/mqu.gif", "url.query": [ - "sequa", - "bore=lapari" + "bore=lapari", + "sequa" ], "url.scheme": "https", "user.name": "epor" @@ -7622,9 +7850,9 @@ "ineavol" ], "related.ip": [ - "10.9.41.221", "10.204.98.238", - "10.81.58.91" + "10.81.58.91", + "10.9.41.221" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7736,8 +7964,8 @@ "uipex" ], "related.ip": [ - "10.35.84.125", "10.212.208.70", + "10.35.84.125", "10.37.120.29" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7803,9 +8031,15 @@ "aturvel" ], "related.ip": [ +<<<<<<< HEAD "10.207.207.106", "10.143.65.84", "10.199.201.26" +======= + "10.143.65.84", + "10.199.201.26", + "10.207.207.106" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7938,8 +8172,13 @@ ], "related.ip": [ "10.185.44.26", +<<<<<<< HEAD "10.53.110.111", "10.246.81.164" +======= + "10.246.81.164", + "10.53.110.111" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -8004,9 +8243,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.802", "related.hosts": [ +<<<<<<< HEAD "lam", "proid", "cupida6106.www5.local" +======= + "cupida6106.www5.local", + "lam", + "proid" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.109.172.90", @@ -8105,8 +8350,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.2314", "related.hosts": [ - "umtotam", "stenat", + "umtotam", "unt2122.internal.local" ], "related.ip": [ @@ -8206,9 +8451,15 @@ "observer.vendor": "Fortinet", "observer.version": "1.4674", "related.hosts": [ +<<<<<<< HEAD "oremeu", "ita", "luptat2613.internal.localhost" +======= + "ita", + "luptat2613.internal.localhost", + "oremeu" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.182.124.88", @@ -8222,8 +8473,8 @@ "rsa.investigations.event_vcat": "tfug", "rsa.misc.OS": "imipsam", "rsa.misc.action": [ - "utodi", - "block" + "block", + "utodi" ], "rsa.misc.category": "cid", "rsa.misc.client": "mquaerat", @@ -8312,8 +8563,8 @@ "neavo4796.internal.domain" ], "related.ip": [ - "10.35.10.19", - "10.188.124.185" + "10.188.124.185", + "10.35.10.19" ], "related.user": [ "dolo" @@ -8374,8 +8625,8 @@ "url.original": "https://www5.example.com/xea/ssecill.html?quianonn=quun#one", "url.path": "/xea/ssecill.html", "url.query": [ - "tasper", - "quianonn=quun" + "quianonn=quun", + "tasper" ], "url.scheme": "https", "user.name": "dolo" diff --git a/x-pack/filebeat/module/gcp/firewall/test/rare.log-expected.json b/x-pack/filebeat/module/gcp/firewall/test/rare.log-expected.json index 28a67d649f9..8c6a0f8e768 100644 --- a/x-pack/filebeat/module/gcp/firewall/test/rare.log-expected.json +++ b/x-pack/filebeat/module/gcp/firewall/test/rare.log-expected.json @@ -53,8 +53,8 @@ "network.name": "default", "network.type": "ipv4", "related.ip": [ - "10.142.0.10", - "10.128.0.16" + "10.128.0.16", + "10.142.0.10" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -120,8 +120,8 @@ "network.name": "default", "network.type": "ipv4", "related.ip": [ - "10.142.0.16", - "10.128.0.10" + "10.128.0.10", + "10.142.0.16" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", diff --git a/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json b/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json index eeba0d7268c..0242fbd420e 100644 --- a/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json +++ b/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json @@ -78,8 +78,8 @@ "event.kind": "event", "event.module": "gcp", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "firewall", "gcp.destination.instance.project_id": "test-beats", @@ -115,8 +115,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.126", - "10.42.0.2" + "10.42.0.2", + "192.0.2.126" ], "rule.name": "network:windows-isolated/firewall:windows-isolated-allow-rdp", "service.type": "gcp", @@ -180,8 +180,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.219", - "10.28.0.16" + "10.28.0.16", + "192.0.2.219" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -247,8 +247,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.14", - "10.28.0.16" + "10.28.0.16", + "192.0.2.14" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -312,8 +312,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.14", - "10.28.0.16" + "10.28.0.16", + "192.0.2.14" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -377,8 +377,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.151", - "10.28.0.16" + "10.28.0.16", + "192.0.2.151" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -444,8 +444,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.241", - "10.28.0.16" + "10.28.0.16", + "192.0.2.241" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -511,8 +511,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.114", - "10.28.0.16" + "10.28.0.16", + "192.0.2.114" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -578,8 +578,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.251", - "10.28.0.16" + "10.28.0.16", + "192.0.2.251" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -645,8 +645,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.189", - "10.28.0.16" + "10.28.0.16", + "192.0.2.189" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -712,8 +712,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.189", - "10.28.0.16" + "10.28.0.16", + "192.0.2.189" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -779,8 +779,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.200", - "10.28.0.16" + "10.28.0.16", + "192.0.2.200" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", @@ -940,8 +940,8 @@ "event.kind": "event", "event.module": "gcp", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "firewall", "gcp.destination.instance.project_id": "test-beats", @@ -983,8 +983,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.114", - "10.42.0.10" + "10.42.0.10", + "192.0.2.114" ], "rule.name": "network:default/firewall:allow9200", "service.type": "gcp", @@ -1011,8 +1011,8 @@ "event.kind": "event", "event.module": "gcp", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "firewall", "gcp.destination.instance.project_id": "test-beats", @@ -1054,8 +1054,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.114", - "10.42.0.10" + "10.42.0.10", + "192.0.2.114" ], "rule.name": "network:default/firewall:allow9200", "service.type": "gcp", @@ -1082,8 +1082,8 @@ "event.kind": "event", "event.module": "gcp", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "firewall", "gcp.destination.instance.project_id": "test-beats", @@ -1119,8 +1119,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.7", - "10.42.0.2" + "10.42.0.2", + "192.0.2.7" ], "rule.name": "network:windows-isolated/firewall:windows-isolated-allow-rdp", "service.type": "gcp", @@ -1148,8 +1148,8 @@ "event.kind": "event", "event.module": "gcp", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "firewall", "gcp.destination.instance.project_id": "test-beats", @@ -1191,8 +1191,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.114", - "10.42.0.10" + "10.42.0.10", + "192.0.2.114" ], "rule.name": "network:default/firewall:allow9200", "service.type": "gcp", @@ -1219,8 +1219,8 @@ "event.kind": "event", "event.module": "gcp", "event.type": [ - "connection", - "allowed" + "allowed", + "connection" ], "fileset.name": "firewall", "gcp.destination.instance.project_id": "test-beats", @@ -1262,8 +1262,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.114", - "10.42.0.10" + "10.42.0.10", + "192.0.2.114" ], "rule.name": "network:default/firewall:allow9200", "service.type": "gcp", @@ -1334,8 +1334,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "10.42.0.10", - "10.28.0.16" + "10.28.0.16", + "10.42.0.10" ], "rule.name": "network:default/firewall:adrian-test-3", "service.type": "gcp", diff --git a/x-pack/filebeat/module/gcp/vpcflow/test/vpc-flow-log-entries.json.log-expected.json b/x-pack/filebeat/module/gcp/vpcflow/test/vpc-flow-log-entries.json.log-expected.json index da74fec40d6..2b532388328 100644 --- a/x-pack/filebeat/module/gcp/vpcflow/test/vpc-flow-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/gcp/vpcflow/test/vpc-flow-log-entries.json.log-expected.json @@ -97,8 +97,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -322,8 +322,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.117", - "10.87.40.76" + "10.87.40.76", + "192.0.2.117" ], "service.type": "gcp", "source.address": "192.0.2.117", @@ -382,8 +382,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -504,8 +504,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -565,8 +565,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -619,8 +619,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.23", - "10.139.99.242" + "10.139.99.242", + "192.0.2.23" ], "service.type": "gcp", "source.address": "192.0.2.23", @@ -681,8 +681,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -742,8 +742,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -980,8 +980,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.93", - "10.49.136.133" + "10.49.136.133", + "203.0.113.93" ], "service.type": "gcp", "source.address": "203.0.113.93", @@ -1031,8 +1031,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.12", - "10.87.40.76" + "10.87.40.76", + "203.0.113.12" ], "service.type": "gcp", "source.address": "203.0.113.12", @@ -1314,8 +1314,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.12", - "10.87.40.76" + "10.87.40.76", + "203.0.113.12" ], "service.type": "gcp", "source.address": "203.0.113.12", @@ -1429,8 +1429,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.58", - "10.139.99.242" + "10.139.99.242", + "203.0.113.58" ], "service.type": "gcp", "source.address": "203.0.113.58", @@ -1491,8 +1491,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -1552,8 +1552,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -1661,8 +1661,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.165", - "10.139.99.242" + "10.139.99.242", + "192.0.2.165" ], "service.type": "gcp", "source.address": "192.0.2.165", @@ -1778,8 +1778,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.107", - "10.87.40.76" + "10.87.40.76", + "198.51.100.107" ], "service.type": "gcp", "source.address": "198.51.100.107", @@ -2016,8 +2016,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -2248,8 +2248,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -2370,8 +2370,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -2492,8 +2492,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -2553,8 +2553,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -2718,8 +2718,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.117", - "10.87.40.76" + "10.87.40.76", + "192.0.2.117" ], "service.type": "gcp", "source.address": "192.0.2.117", @@ -2772,8 +2772,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.58", - "10.139.99.242" + "10.139.99.242", + "203.0.113.58" ], "service.type": "gcp", "source.address": "203.0.113.58", @@ -2890,8 +2890,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.101", - "10.139.99.242" + "10.139.99.242", + "203.0.113.101" ], "service.type": "gcp", "source.address": "203.0.113.101", @@ -2951,8 +2951,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.177", - "10.139.99.242" + "10.139.99.242", + "192.0.2.177" ], "service.type": "gcp", "source.address": "192.0.2.177", @@ -3067,8 +3067,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.58", - "10.139.99.242" + "10.139.99.242", + "203.0.113.58" ], "service.type": "gcp", "source.address": "203.0.113.58", @@ -3123,8 +3123,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.58", - "10.139.99.242" + "10.139.99.242", + "203.0.113.58" ], "service.type": "gcp", "source.address": "203.0.113.58", @@ -3179,8 +3179,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.117", - "10.87.40.76" + "10.87.40.76", + "192.0.2.117" ], "service.type": "gcp", "source.address": "192.0.2.117", @@ -3349,8 +3349,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -3465,8 +3465,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.58", - "10.139.99.242" + "10.139.99.242", + "203.0.113.58" ], "service.type": "gcp", "source.address": "203.0.113.58", @@ -3521,8 +3521,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.12", - "10.87.40.76" + "10.87.40.76", + "203.0.113.12" ], "service.type": "gcp", "source.address": "203.0.113.12", @@ -3575,8 +3575,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.107", - "10.87.40.76" + "10.87.40.76", + "198.51.100.107" ], "service.type": "gcp", "source.address": "198.51.100.107", @@ -3635,8 +3635,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -3744,8 +3744,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.27", - "10.87.40.76" + "10.87.40.76", + "203.0.113.27" ], "service.type": "gcp", "source.address": "203.0.113.27", @@ -3804,8 +3804,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -4041,8 +4041,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -4217,8 +4217,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -4272,8 +4272,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.107", - "10.87.40.76" + "10.87.40.76", + "198.51.100.107" ], "service.type": "gcp", "source.address": "198.51.100.107", @@ -4332,8 +4332,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -4387,8 +4387,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.27", - "10.87.40.76" + "10.87.40.76", + "203.0.113.27" ], "service.type": "gcp", "source.address": "203.0.113.27", @@ -4441,8 +4441,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.27", - "10.87.40.76" + "10.87.40.76", + "203.0.113.27" ], "service.type": "gcp", "source.address": "203.0.113.27", @@ -4657,8 +4657,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.107", - "10.87.40.76" + "10.87.40.76", + "198.51.100.107" ], "service.type": "gcp", "source.address": "198.51.100.107", @@ -4887,8 +4887,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.12", - "10.87.40.76" + "10.87.40.76", + "203.0.113.12" ], "service.type": "gcp", "source.address": "203.0.113.12", @@ -4947,8 +4947,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -5110,8 +5110,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.27", - "10.87.40.76" + "10.87.40.76", + "203.0.113.27" ], "service.type": "gcp", "source.address": "203.0.113.27", @@ -5170,8 +5170,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -5536,8 +5536,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "198.51.100.248", - "10.87.40.76" + "10.87.40.76", + "198.51.100.248" ], "service.type": "gcp", "source.address": "198.51.100.248", @@ -5597,8 +5597,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "192.0.2.177", - "10.139.99.242" + "10.139.99.242", + "192.0.2.177" ], "service.type": "gcp", "source.address": "192.0.2.177", @@ -5719,8 +5719,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", @@ -5780,8 +5780,8 @@ "network.transport": "tcp", "network.type": "ipv4", "related.ip": [ - "203.0.113.134", - "10.139.99.242" + "10.139.99.242", + "203.0.113.134" ], "service.type": "gcp", "source.address": "203.0.113.134", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json index abd84e26272..a6a661e76c1 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json @@ -3,8 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -64,8 +64,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -124,8 +124,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -192,8 +192,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -242,8 +242,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GPLUS_PREMIUM_FEATURES", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -402,8 +402,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_MANAGED_CONFIGURATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -456,8 +456,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json index b2d9d491215..be2cca86660 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json @@ -377,8 +377,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -544,8 +544,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CALENDAR_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json index 4caec2adf2d..34699ff68ea 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json @@ -107,8 +107,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_MODIFY_GATEWAY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -160,8 +160,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHAT_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json index f81d96a81f1..4e3b1eac91d 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json @@ -3,8 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -119,8 +119,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -285,8 +285,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -396,8 +396,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -768,8 +768,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -824,8 +824,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_USER_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -893,8 +893,8 @@ "fileset.name": "admin", "google_workspace.actor.type": "USER", "google_workspace.admin.device.command_details": [ - "command", - "-a" + "-a", + "command" ], "google_workspace.admin.device.serial_number": "1234", "google_workspace.admin.device.type": "type", @@ -1097,8 +1097,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json index 5db40eec65c..50adf8044be 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json @@ -3,8 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json index fd8de3b21d1..97f5e3b6b83 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json @@ -120,8 +120,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOCS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json index 65e1fe272a7..555f9bec5b0 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json @@ -800,8 +800,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -854,8 +854,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -908,8 +908,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_API_ACCESS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1233,8 +1233,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_WHITELIST_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1288,8 +1288,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1398,8 +1398,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_FEEDBACK_SOLICITATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1453,8 +1453,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CONTACT_SHARING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1559,8 +1559,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_CUSTOM_LOGO", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1719,8 +1719,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2358,8 +2358,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2412,8 +2412,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSO_ENABLED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2466,8 +2466,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSL", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2949,8 +2949,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_NEW_APP_FEATURES", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -3003,8 +3003,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -3161,8 +3161,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OPEN_ID_ENABLED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -3269,8 +3269,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OUTBOUND_RELAY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -3487,8 +3487,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -4389,8 +4389,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SSO_SETTINGS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json index 86bbb3cbcbb..02c317b9f0e 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json @@ -173,8 +173,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -233,8 +233,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -289,8 +289,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -345,8 +345,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json index d9c9e452f40..52257df41d7 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json @@ -11,8 +11,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -66,8 +66,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -121,8 +121,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -228,8 +228,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -290,8 +290,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -352,8 +352,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -416,8 +416,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -480,8 +480,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -544,8 +544,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -650,8 +650,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -706,8 +706,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -764,8 +764,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json index 099e46ceb46..80c0d6dc9e2 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json @@ -11,8 +11,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -72,8 +72,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -609,8 +609,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -731,8 +731,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -790,8 +790,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -849,8 +849,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -908,8 +908,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -959,8 +959,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1551,8 +1551,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1610,8 +1610,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1669,8 +1669,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json index 38b52a4fde7..1af74f0a4da 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json @@ -3,8 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_STRONG_AUTHENTICATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -58,8 +58,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -112,8 +112,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -166,8 +166,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -386,8 +386,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -444,8 +444,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -502,8 +502,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -560,8 +560,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -618,8 +618,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -940,8 +940,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -998,8 +998,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENFORCE_STRONG_AUTHENTICATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1058,8 +1058,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1113,8 +1113,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1171,8 +1171,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1227,8 +1227,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SESSION_LENGTH", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json index 1e936265994..ba25dbc3e68 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json @@ -121,8 +121,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -178,8 +178,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json index 0d31e53291c..16b088935bd 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json @@ -11,8 +11,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -68,8 +68,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -125,8 +125,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -184,8 +184,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -242,8 +242,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -299,8 +299,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -356,8 +356,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -413,8 +413,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -470,8 +470,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -528,8 +528,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -640,8 +640,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -698,8 +698,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -756,8 +756,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -816,8 +816,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -875,8 +875,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -934,8 +934,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -993,8 +993,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1052,8 +1052,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1111,8 +1111,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1170,8 +1170,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1229,8 +1229,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1288,8 +1288,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1347,8 +1347,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1404,8 +1404,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1461,8 +1461,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1520,8 +1520,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1582,8 +1582,8 @@ "event.provider": "admin", "event.start": "2002-10-02T15:00:00.000Z", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1644,8 +1644,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1703,8 +1703,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1761,8 +1761,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1819,8 +1819,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1877,8 +1877,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1935,8 +1935,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -1994,8 +1994,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2052,8 +2052,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2111,8 +2111,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2169,8 +2169,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2227,8 +2227,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2285,8 +2285,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2343,8 +2343,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2400,8 +2400,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2510,8 +2510,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2567,8 +2567,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2624,8 +2624,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2684,8 +2684,8 @@ "event.provider": "admin", "event.start": "2002-10-02T15:00:00.000Z", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2744,8 +2744,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2802,8 +2802,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2859,8 +2859,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2916,8 +2916,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -2973,8 +2973,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3031,8 +3031,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3089,8 +3089,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3146,8 +3146,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3203,8 +3203,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3260,8 +3260,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3317,8 +3317,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3375,8 +3375,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3432,8 +3432,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3489,8 +3489,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3546,8 +3546,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3654,8 +3654,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3713,8 +3713,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3771,8 +3771,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3829,8 +3829,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3886,8 +3886,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -3943,8 +3943,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -4000,8 +4000,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -4057,8 +4057,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -4114,8 +4114,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", @@ -4224,8 +4224,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "google_workspace.actor.type": "USER", diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json index 2cf11698199..74b7811f7b5 100644 --- a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json @@ -68,9 +68,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_canceled", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -133,9 +133,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_comment_added", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -198,9 +198,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_requested", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -263,9 +263,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_reviewer_responded", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1345,9 +1345,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_acl_editors", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1414,9 +1414,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_access_scope", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1484,9 +1484,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_visibility", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1554,9 +1554,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_membership_change", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1624,9 +1624,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_settings_change", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1694,9 +1694,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "sheets_import_range_access_change", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1759,9 +1759,9 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_user_access", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "google_workspace.drive", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json index 5faa1d30d53..48cbd47cf05 100644 --- a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json @@ -11,8 +11,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -130,9 +130,9 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "event.provider": "groups", "event.type": [ + "change", "group", - "user", - "change" + "user" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -193,9 +193,9 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "event.provider": "groups", "event.type": [ + "change", "group", - "user", - "change" + "user" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -297,8 +297,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_basic_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -306,8 +306,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -364,8 +364,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -419,8 +419,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "deletion" + "deletion", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -466,8 +466,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_identity_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -475,8 +475,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -525,8 +525,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_info_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -534,8 +534,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -583,8 +583,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_info_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -592,8 +592,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -642,8 +642,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_info_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -651,8 +651,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "deletion" + "deletion", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -700,8 +700,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_new_members_restrictions_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -709,8 +709,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -759,8 +759,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_post_replies_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -768,8 +768,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -818,8 +818,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_spam_moderation_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -827,8 +827,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -877,8 +877,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_topic_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -886,8 +886,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "google_workspace.actor.type": "USER", @@ -1067,8 +1067,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", "event.provider": "groups", "event.type": [ - "group", "creation", + "group", "user" ], "fileset.name": "groups", @@ -1447,8 +1447,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "event.provider": "groups", "event.type": [ - "group", "deletion", + "group", "user" ], "fileset.name": "groups", diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json index a4e0f480040..68ecbb4fc1f 100644 --- a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json @@ -11,8 +11,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "google_workspace.actor.type": "USER", @@ -235,8 +235,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "google_workspace.actor.type": "USER", @@ -291,8 +291,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "google_workspace.actor.type": "USER", @@ -347,8 +347,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "google_workspace.actor.type": "USER", @@ -404,8 +404,8 @@ "event.provider": "login", "event.start": "2020-07-02T13:08:25.123Z", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "google_workspace.actor.type": "USER", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index 83556673967..ab7e42ab458 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -2,8 +2,8 @@ { "event.action": "CHANGE_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -62,8 +62,8 @@ { "event.action": "CREATE_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -121,8 +121,8 @@ { "event.action": "DELETE_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -188,8 +188,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -237,8 +237,8 @@ { "event.action": "GPLUS_PREMIUM_FEATURES", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -394,8 +394,8 @@ { "event.action": "UPDATE_MANAGED_CONFIGURATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -447,8 +447,8 @@ { "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index 10e0ec1aac4..3772a9892a4 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -369,8 +369,8 @@ { "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -533,8 +533,8 @@ { "event.action": "CHANGE_CALENDAR_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 5fde8049c7c..74ff813ecdd 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -104,8 +104,8 @@ { "event.action": "MEET_INTEROP_MODIFY_GATEWAY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -156,8 +156,8 @@ { "event.action": "CHANGE_CHAT_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index 4627a127b8f..ed4950f5b6c 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -2,8 +2,8 @@ { "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -116,8 +116,8 @@ { "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -279,8 +279,8 @@ { "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -388,8 +388,8 @@ { "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -753,8 +753,8 @@ { "event.action": "CHANGE_CHROME_OS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -808,8 +808,8 @@ { "event.action": "CHANGE_CHROME_OS_USER_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -876,8 +876,8 @@ "fileset.name": "admin", "gsuite.actor.type": "USER", "gsuite.admin.device.command_details": [ - "command", - "-a" + "-a", + "command" ], "gsuite.admin.device.serial_number": "1234", "gsuite.admin.device.type": "type", @@ -1076,8 +1076,8 @@ { "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index 825e497e5a0..00c54f3096f 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -2,8 +2,8 @@ { "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index da5410ee7d3..e22c5444b0f 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -117,8 +117,8 @@ { "event.action": "CHANGE_DOCS_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index 05143097e3d..404587a6647 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -784,8 +784,8 @@ { "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -837,8 +837,8 @@ { "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -890,8 +890,8 @@ { "event.action": "ENABLE_API_ACCESS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1209,8 +1209,8 @@ { "event.action": "CHANGE_WHITELIST_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1263,8 +1263,8 @@ { "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1371,8 +1371,8 @@ { "event.action": "ENABLE_FEEDBACK_SOLICITATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1425,8 +1425,8 @@ { "event.action": "TOGGLE_CONTACT_SHARING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1529,8 +1529,8 @@ { "event.action": "TOGGLE_USE_CUSTOM_LOGO", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1686,8 +1686,8 @@ { "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2313,8 +2313,8 @@ { "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2366,8 +2366,8 @@ { "event.action": "TOGGLE_SSO_ENABLED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2419,8 +2419,8 @@ { "event.action": "TOGGLE_SSL", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2893,8 +2893,8 @@ { "event.action": "TOGGLE_NEW_APP_FEATURES", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2946,8 +2946,8 @@ { "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -3101,8 +3101,8 @@ { "event.action": "TOGGLE_OPEN_ID_ENABLED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -3207,8 +3207,8 @@ { "event.action": "TOGGLE_OUTBOUND_RELAY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -3421,8 +3421,8 @@ { "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -4306,8 +4306,8 @@ { "event.action": "CHANGE_SSO_SETTINGS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index ab2ea5b15fa..69ddb7692a2 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -169,8 +169,8 @@ { "event.action": "CHANGE_EMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -228,8 +228,8 @@ { "event.action": "CHANGE_GMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -283,8 +283,8 @@ { "event.action": "CREATE_GMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -338,8 +338,8 @@ { "event.action": "DELETE_GMAIL_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json index b8d46167531..7cc876ea788 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -10,8 +10,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -64,8 +64,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -118,8 +118,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -223,8 +223,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -284,8 +284,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -345,8 +345,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -408,8 +408,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -471,8 +471,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -534,8 +534,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -638,8 +638,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -693,8 +693,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "group.domain": "example.com", @@ -750,8 +750,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", "event.provider": "admin", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "admin", "gsuite.actor.type": "USER", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json index 7b41064d5a8..2dbefb68450 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -10,8 +10,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -70,8 +70,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -597,8 +597,8 @@ { "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -717,8 +717,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -775,8 +775,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -833,8 +833,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -891,8 +891,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -941,8 +941,8 @@ { "event.action": "CHANGE_MOBILE_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1522,8 +1522,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1580,8 +1580,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1638,8 +1638,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index 609025f9137..b55578f2e10 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -2,8 +2,8 @@ { "event.action": "ALLOW_STRONG_AUTHENTICATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -56,8 +56,8 @@ { "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -109,8 +109,8 @@ { "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -162,8 +162,8 @@ { "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -378,8 +378,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -435,8 +435,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -492,8 +492,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -549,8 +549,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -606,8 +606,8 @@ { "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -922,8 +922,8 @@ { "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -979,8 +979,8 @@ { "event.action": "ENFORCE_STRONG_AUTHENTICATION", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1038,8 +1038,8 @@ { "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1092,8 +1092,8 @@ { "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1149,8 +1149,8 @@ { "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1204,8 +1204,8 @@ { "event.action": "CHANGE_SESSION_LENGTH", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index 6d7d3e37714..75de8c3c13c 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -114,8 +114,8 @@ { "event.action": "CHANGE_SITES_SETTING", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -170,8 +170,8 @@ { "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json index 832cbfc26b7..dc713f9ae92 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -10,8 +10,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -66,8 +66,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -122,8 +122,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -180,8 +180,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -237,8 +237,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -293,8 +293,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -349,8 +349,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -405,8 +405,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -461,8 +461,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -518,8 +518,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -628,8 +628,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -685,8 +685,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -742,8 +742,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -801,8 +801,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -859,8 +859,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -917,8 +917,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -975,8 +975,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1033,8 +1033,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1091,8 +1091,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1149,8 +1149,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1207,8 +1207,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1265,8 +1265,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1323,8 +1323,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1379,8 +1379,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1435,8 +1435,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1493,8 +1493,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1554,8 +1554,8 @@ "event.provider": "admin", "event.start": "2002-10-02T15:00:00.000Z", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1615,8 +1615,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1673,8 +1673,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1730,8 +1730,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1787,8 +1787,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1844,8 +1844,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1901,8 +1901,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -1959,8 +1959,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2016,8 +2016,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2074,8 +2074,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2131,8 +2131,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2188,8 +2188,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2245,8 +2245,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2302,8 +2302,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2358,8 +2358,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2466,8 +2466,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2522,8 +2522,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2578,8 +2578,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2637,8 +2637,8 @@ "event.provider": "admin", "event.start": "2002-10-02T15:00:00.000Z", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2696,8 +2696,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2753,8 +2753,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2809,8 +2809,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2865,8 +2865,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2921,8 +2921,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -2978,8 +2978,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3035,8 +3035,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3091,8 +3091,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3147,8 +3147,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3203,8 +3203,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3259,8 +3259,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3316,8 +3316,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3372,8 +3372,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3428,8 +3428,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3484,8 +3484,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3590,8 +3590,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3648,8 +3648,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3705,8 +3705,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3762,8 +3762,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3818,8 +3818,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3874,8 +3874,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3930,8 +3930,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -3986,8 +3986,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -4042,8 +4042,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", @@ -4150,8 +4150,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "event.provider": "admin", "event.type": [ - "user", - "info" + "info", + "user" ], "fileset.name": "admin", "gsuite.actor.type": "USER", diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json index 07868860ee6..4068a18c494 100644 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -66,9 +66,9 @@ { "event.action": "approval_canceled", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -130,9 +130,9 @@ { "event.action": "approval_comment_added", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -194,9 +194,9 @@ { "event.action": "approval_requested", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -258,9 +258,9 @@ { "event.action": "approval_reviewer_responded", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1323,9 +1323,9 @@ { "event.action": "change_acl_editors", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1391,9 +1391,9 @@ { "event.action": "change_document_access_scope", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1460,9 +1460,9 @@ { "event.action": "change_document_visibility", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1529,9 +1529,9 @@ { "event.action": "shared_drive_membership_change", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1598,9 +1598,9 @@ { "event.action": "shared_drive_settings_change", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1667,9 +1667,9 @@ { "event.action": "sheets_import_range_access_change", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1731,9 +1731,9 @@ { "event.action": "change_user_access", "event.category": [ + "configuration", "file", - "iam", - "configuration" + "iam" ], "event.dataset": "gsuite.drive", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json index 2e43310ea93..758ba9ba2b1 100644 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -10,8 +10,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -127,9 +127,9 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "event.provider": "groups", "event.type": [ + "change", "group", - "user", - "change" + "user" ], "fileset.name": "groups", "group.domain": "example.com", @@ -189,9 +189,9 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "event.provider": "groups", "event.type": [ + "change", "group", - "user", - "change" + "user" ], "fileset.name": "groups", "group.domain": "example.com", @@ -291,8 +291,8 @@ { "event.action": "change_basic_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -300,8 +300,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -357,8 +357,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -411,8 +411,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "deletion" + "deletion", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -457,8 +457,8 @@ { "event.action": "change_identity_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -466,8 +466,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -515,8 +515,8 @@ { "event.action": "add_info_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -524,8 +524,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -572,8 +572,8 @@ { "event.action": "change_info_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -581,8 +581,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -630,8 +630,8 @@ { "event.action": "remove_info_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -639,8 +639,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "deletion" + "deletion", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -687,8 +687,8 @@ { "event.action": "change_new_members_restrictions_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -696,8 +696,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -745,8 +745,8 @@ { "event.action": "change_post_replies_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -754,8 +754,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -803,8 +803,8 @@ { "event.action": "change_spam_moderation_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -812,8 +812,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -861,8 +861,8 @@ { "event.action": "change_topic_setting", "event.category": [ - "iam", - "configuration" + "configuration", + "iam" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -870,8 +870,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", "event.provider": "groups", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "groups", "group.domain": "example.com", @@ -1048,8 +1048,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", "event.provider": "groups", "event.type": [ - "group", "creation", + "group", "user" ], "fileset.name": "groups", @@ -1422,8 +1422,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "event.provider": "groups", "event.type": [ - "group", "deletion", + "group", "user" ], "fileset.name": "groups", diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json index 9bc77dc7d03..aa37acec18e 100644 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -10,8 +10,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "gsuite.actor.type": "USER", @@ -218,8 +218,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "gsuite.actor.type": "USER", @@ -270,8 +270,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "gsuite.actor.type": "USER", @@ -322,8 +322,8 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "event.provider": "login", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "gsuite.actor.type": "USER", @@ -375,8 +375,8 @@ "event.provider": "login", "event.start": "2020-07-02T13:08:25.123Z", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "login", "gsuite.actor.type": "USER", diff --git a/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01.log-expected.json b/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01.log-expected.json index 7ccc74ea50b..c29d64be928 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01.log-expected.json +++ b/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01.log-expected.json @@ -13,9 +13,9 @@ ], "ibmmq.errorlog.code": "AMQ6287I", "ibmmq.errorlog.commentinsert": [ - "Windows 10 Professional x64 Edition, Build 17134 (MQ Windows (x64 platform) 64-bit)", + "9.1.0.0 (p910-L180709.TRIAL)", "C:\\\\Program Files\\\\IBM\\\\MQ (Installation1)", - "9.1.0.0 (p910-L180709.TRIAL)" + "Windows 10 Professional x64 Edition, Build 17134 (MQ Windows (x64 platform) 64-bit)" ], "ibmmq.errorlog.explanation": "Systeminformationen zu IBM", "ibmmq.errorlog.installation": "Installation1", @@ -46,9 +46,9 @@ ], "ibmmq.errorlog.code": "AMQ8576I", "ibmmq.errorlog.commentinsert": [ - "Installation1", + "", "C:\\\\Program Files\\\\IBM\\\\MQ", - "" + "Installation1" ], "ibmmq.errorlog.explanation": "Alle Tasks, die zur Festlegung der Installation 'Installation1' als prim\ufffdre Installation erforderlich sind, wurden ausgef\ufffdhrt. Wenn die Installation noch nicht als prim\ufffdre Installation festgelegt wurde, dann wurde auch die Konfiguration der Installation aktualisiert, um die Installation 'Installation1' als prim\ufffdre Installation zu identifizieren. Damit die Aktualisierungen systemweit wirksam werden, m\ufffdssen Sie das Betriebssystem erneut starten.", "ibmmq.errorlog.installation": "Installation1", @@ -74,8 +74,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "90", - "" + "", + "90" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -140,14 +140,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Use the standard facilities supplied with your system to record the problem identifier and to save any generated output files. Use either the MQ Support site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is already available. If you are unable to find a match, contact your IBM support center. Do not discard these files until the problem has been resolved.", "ibmmq.errorlog.arithinsert": [ - "8480", - "" + "", + "8480" ], "ibmmq.errorlog.code": "AMQ6184W", "ibmmq.errorlog.commentinsert": [ - "QM1", "", - "" + "", + "QM1" ], "ibmmq.errorlog.explanation": "An error has been detected, and the IBM MQ error recording routine has been called. The failing process is process 8480.", "ibmmq.errorlog.installation": "Installation1", @@ -173,8 +173,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Keine.", "ibmmq.errorlog.arithinsert": [ - "84", - "" + "", + "84" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -206,8 +206,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Keine.", "ibmmq.errorlog.arithinsert": [ - "84", - "" + "", + "84" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -239,8 +239,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Keine.", "ibmmq.errorlog.arithinsert": [ - "83", - "" + "", + "83" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -272,8 +272,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "73", - "" + "", + "73" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -305,8 +305,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "73", - "" + "", + "73" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -371,14 +371,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Use the standard facilities supplied with your system to record the problem identifier and to save any generated output files. Use either the MQ Support site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is already available. If you are unable to find a match, contact your IBM support center. Do not discard these files until the problem has been resolved.", "ibmmq.errorlog.arithinsert": [ - "7360", - "" + "", + "7360" ], "ibmmq.errorlog.code": "AMQ6184W", "ibmmq.errorlog.commentinsert": [ - "QM1", "", - "" + "", + "QM1" ], "ibmmq.errorlog.explanation": "An error has been detected, and the IBM MQ error recording routine has been called. The failing process is process 7360.", "ibmmq.errorlog.installation": "Installation1", @@ -404,8 +404,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "71", - "" + "", + "71" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -437,8 +437,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "71", - "" + "", + "71" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -503,14 +503,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Use the standard facilities supplied with your system to record the problem identifier and to save any generated output files. Use either the MQ Support site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is already available. If you are unable to find a match, contact your IBM support center. Do not discard these files until the problem has been resolved.", "ibmmq.errorlog.arithinsert": [ - "7660", - "" + "", + "7660" ], "ibmmq.errorlog.code": "AMQ6184W", "ibmmq.errorlog.commentinsert": [ - "QM1", "", - "" + "", + "QM1" ], "ibmmq.errorlog.explanation": "An error has been detected, and the IBM MQ error recording routine has been called. The failing process is process 7660.", "ibmmq.errorlog.installation": "Installation1", @@ -536,8 +536,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "71", - "" + "", + "71" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -569,8 +569,8 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "71", - "" + "", + "71" ], "ibmmq.errorlog.code": "AMQ7125I", "ibmmq.errorlog.commentinsert": [ @@ -635,14 +635,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Use the standard facilities supplied with your system to record the problem identifier and to save any generated output files. Use either the MQ Support site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is already available. If you are unable to find a match, contact your IBM support center. Do not discard these files until the problem has been resolved.", "ibmmq.errorlog.arithinsert": [ - "6780", - "" + "", + "6780" ], "ibmmq.errorlog.code": "AMQ6184W", "ibmmq.errorlog.commentinsert": [ - "QM1", "", - "" + "", + "QM1" ], "ibmmq.errorlog.explanation": "An error has been detected, and the IBM MQ error recording routine has been called. The failing process is process 6780.", "ibmmq.errorlog.installation": "Installation1", diff --git a/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM2.log-expected.json b/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM2.log-expected.json index 3d6ef8e7d4f..ddaa656e153 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM2.log-expected.json +++ b/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM2.log-expected.json @@ -13,9 +13,9 @@ ], "ibmmq.errorlog.code": "AMQ6287I", "ibmmq.errorlog.commentinsert": [ - "Windows 10 Professional x64 Edition, Build 17134 (MQ Windows (x64 platform) 64-bit)", + "9.1.0.0 (p910-L180709.TRIAL)", "C:\\\\Program Files\\\\IBM\\\\MQ (Installation1)", - "9.1.0.0 (p910-L180709.TRIAL)" + "Windows 10 Professional x64 Edition, Build 17134 (MQ Windows (x64 platform) 64-bit)" ], "ibmmq.errorlog.explanation": "Systeminformationen zu IBM", "ibmmq.errorlog.installation": "Installation1", @@ -47,9 +47,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "LOGGER-IO", "", - "" + "", + "LOGGER-IO" ], "ibmmq.errorlog.explanation": "Die Task 'LOGGER-IO' wurde vom Task-Manager f\ufffdr kritische Dienstprogramme gestartet. Diese Task wurde jetzt 1 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -81,9 +81,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "LOGGER-IO", "", - "" + "", + "LOGGER-IO" ], "ibmmq.errorlog.explanation": "Die WS-Manager-Task 'LOGGER-IO' wurde beendet.", "ibmmq.errorlog.installation": "Installation1", @@ -115,9 +115,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "LOGGER-IO", "", - "" + "", + "LOGGER-IO" ], "ibmmq.errorlog.explanation": "Die Task 'LOGGER-IO' wurde vom Task-Manager f\ufffdr kritische Dienstprogramme gestartet. Diese Task wurde jetzt 1 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -144,14 +144,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Keine.", "ibmmq.errorlog.arithinsert": [ - "4", - "" + "", + "4" ], "ibmmq.errorlog.code": "AMQ7229I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "4 Protokolls\ufffdtze wurden bisher auf WS-Manager QM2 w\ufffdhrend der Protokollwiederholungsphase aufgerufen, um den WS-Manager in einen zuvor bekannten Status zur\ufffdckzuversetzen.", "ibmmq.errorlog.installation": "Installation1", @@ -178,14 +178,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Keine.", "ibmmq.errorlog.arithinsert": [ - "4", - "" + "", + "4" ], "ibmmq.errorlog.code": "AMQ7230I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "Die Protokollwiederholungsphase des Neustartprozesses wurde f\ufffdr WS-Manager QM2 beendet.", "ibmmq.errorlog.installation": "Installation1", @@ -217,9 +217,9 @@ ], "ibmmq.errorlog.code": "AMQ7231I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "W\ufffdhrend der Wiederherstellungsphase des Transaktionsmanagerstatus wurden bisher 0 Protokolls\ufffdtze auf WS-Manager QM2 aufgerufen.", "ibmmq.errorlog.installation": "Installation1", @@ -251,9 +251,9 @@ ], "ibmmq.errorlog.code": "AMQ7232I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "Der Status der Transaktionen zu dem Zeitpunkt, als der WS-Manager beendet wurde, wurde f\ufffdr WS-Manager QM2 wiederhergestellt.", "ibmmq.errorlog.installation": "Installation1", @@ -285,9 +285,9 @@ ], "ibmmq.errorlog.code": "AMQ7233I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "0 von 0 Transaktionen, die zum Zeitpunkt der Beendigung des WS-Managers QM2 unvollst\ufffdndig waren, wurden aufgel\ufffdst.", "ibmmq.errorlog.installation": "Installation1", @@ -319,9 +319,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "CHECKPOINT", "", - "" + "", + "CHECKPOINT" ], "ibmmq.errorlog.explanation": "Die Task 'CHECKPOINT' wurde vom Task-Manager f\ufffdr kritische Dienstprogramme gestartet. Diese Task wurde jetzt 1 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -353,9 +353,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "ERROR-LOG", "", - "" + "", + "ERROR-LOG" ], "ibmmq.errorlog.explanation": "Die Task 'ERROR-LOG' wurde vom Task-Manager f\ufffdr wieder anlauff\ufffdhige Dienstprogramme gestartet. Diese Task wurde jetzt 1 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -387,9 +387,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "Die Task 'APP-SIGNAL' wurde vom Task-Manager f\ufffdr wieder anlauff\ufffdhige Dienstprogramme gestartet. Diese Task wurde jetzt 1 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -421,9 +421,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "Die Task 'APP-SIGNAL' wurde vom Task-Manager f\ufffdr wieder anlauff\ufffdhige Dienstprogramme gestartet. Diese Task wurde jetzt 2 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -455,9 +455,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "Die Task 'APP-SIGNAL' wurde vom Task-Manager f\ufffdr wieder anlauff\ufffdhige Dienstprogramme gestartet. Diese Task wurde jetzt 3 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -489,9 +489,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "Die Task 'APP-SIGNAL' wurde vom Task-Manager f\ufffdr wieder anlauff\ufffdhige Dienstprogramme gestartet. Diese Task wurde jetzt 4 Mal gestartet.", "ibmmq.errorlog.installation": "Installation1", @@ -518,14 +518,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "Keine.", "ibmmq.errorlog.arithinsert": [ - "87", - "" + "", + "87" ], "ibmmq.errorlog.code": "AMQ8048I", "ibmmq.errorlog.commentinsert": [ - "0", "", - "" + "", + "0" ], "ibmmq.errorlog.explanation": "Dies sind Informationen zur Anzahl der erfolgreich erstellten oder ersetzten Objekte sowie zu den Fehlschl\ufffdgen beim Erstellen der Standardobjekte.", "ibmmq.errorlog.installation": "Installation1", @@ -557,8 +557,8 @@ ], "ibmmq.errorlog.code": "AMQ8003I", "ibmmq.errorlog.commentinsert": [ - "9.1.0.0", "", + "9.1.0.0", "QM2" ], "ibmmq.errorlog.explanation": "IBM MQ-WS-Manager 'QM2' wurde mit V9.1.0.0 gestartet.", @@ -591,9 +591,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "Die WS-Manager-Task 'APP-SIGNAL' wurde beendet.", "ibmmq.errorlog.installation": "Installation1", @@ -625,9 +625,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "Die WS-Manager-Task 'APP-SIGNAL' wurde beendet.", "ibmmq.errorlog.installation": "Installation1", @@ -659,9 +659,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "ERROR-LOG", "", - "" + "", + "ERROR-LOG" ], "ibmmq.errorlog.explanation": "Die WS-Manager-Task 'ERROR-LOG' wurde beendet.", "ibmmq.errorlog.installation": "Installation1", @@ -693,9 +693,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "CHECKPOINT", "", - "" + "", + "CHECKPOINT" ], "ibmmq.errorlog.explanation": "Die WS-Manager-Task 'CHECKPOINT' wurde beendet.", "ibmmq.errorlog.installation": "Installation1", @@ -727,9 +727,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "LOGGER-IO", "", - "" + "", + "LOGGER-IO" ], "ibmmq.errorlog.explanation": "Die WS-Manager-Task 'LOGGER-IO' wurde beendet.", "ibmmq.errorlog.installation": "Installation1", @@ -795,9 +795,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "LOGGER-IO", "", - "" + "", + "LOGGER-IO" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the LOGGER-IO task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -824,14 +824,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "5", - "" + "", + "5" ], "ibmmq.errorlog.code": "AMQ7229I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "5 log records have been accessed so far on queue manager QM2 during the log replay phase in order to bring the queue manager back to a previously known state.", "ibmmq.errorlog.installation": "Installation1", @@ -858,14 +858,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "5", - "" + "", + "5" ], "ibmmq.errorlog.code": "AMQ7230I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "The log replay phase of the queue manager restart process has been completed for queue manager QM2.", "ibmmq.errorlog.installation": "Installation1", @@ -897,9 +897,9 @@ ], "ibmmq.errorlog.code": "AMQ7231I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "0 log records have been accessed so far on queue manager QM2 during the recovery phase of the transactions manager state.", "ibmmq.errorlog.installation": "Installation1", @@ -931,9 +931,9 @@ ], "ibmmq.errorlog.code": "AMQ7232I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "The state of transactions at the time the queue manager ended has been recovered for queue manager QM2.", "ibmmq.errorlog.installation": "Installation1", @@ -965,9 +965,9 @@ ], "ibmmq.errorlog.code": "AMQ7233I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "0 transactions out of 0 in-flight at the time queue manager QM2 ended have been resolved.", "ibmmq.errorlog.installation": "Installation1", @@ -999,9 +999,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "CHECKPOINT", "", - "" + "", + "CHECKPOINT" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the CHECKPOINT task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1033,9 +1033,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "ERROR-LOG", "", - "" + "", + "ERROR-LOG" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the ERROR-LOG task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1067,9 +1067,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the APP-SIGNAL task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1101,9 +1101,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the APP-SIGNAL task. This task has now started 2 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1135,9 +1135,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the APP-SIGNAL task. This task has now started 3 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1169,9 +1169,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the APP-SIGNAL task. This task has now started 4 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1203,8 +1203,8 @@ ], "ibmmq.errorlog.code": "AMQ8003I", "ibmmq.errorlog.commentinsert": [ - "9.1.0.0", "", + "9.1.0.0", "QM2" ], "ibmmq.errorlog.explanation": "IBM MQ queue manager 'QM2' started using V9.1.0.0.", @@ -1237,9 +1237,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "DEFERRED_DELIVERY", "", - "" + "", + "DEFERRED_DELIVERY" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the DEFERRED_DELIVERY task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1271,9 +1271,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "ACTVTRC", "", - "" + "", + "ACTVTRC" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the ACTVTRC task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1305,9 +1305,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "DEFERRED-MSG", "", - "" + "", + "DEFERRED-MSG" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the DEFERRED-MSG task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1339,9 +1339,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "ASYNCQ", "", - "" + "", + "ASYNCQ" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the ASYNCQ task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1373,9 +1373,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "STATISTICS", "", - "" + "", + "STATISTICS" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the STATISTICS task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1407,9 +1407,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "EXPIRER", "", - "" + "", + "EXPIRER" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the EXPIRER task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1441,9 +1441,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "DUR-SUBS-MGR", "", - "" + "", + "DUR-SUBS-MGR" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the DUR-SUBS-MGR task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1509,9 +1509,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "TOPIC-TREE", "", - "" + "", + "TOPIC-TREE" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the TOPIC-TREE task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1543,9 +1543,9 @@ ], "ibmmq.errorlog.code": "AMQ5052I", "ibmmq.errorlog.commentinsert": [ - "QPUBSUB-CTRLR", "", - "" + "", + "QPUBSUB-CTRLR" ], "ibmmq.errorlog.explanation": "The publish/subscribe utility task manager has started the QPUBSUB-CTRLR task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1577,9 +1577,9 @@ ], "ibmmq.errorlog.code": "AMQ5037I", "ibmmq.errorlog.commentinsert": [ - "MARKINTSCAN", "", - "" + "", + "MARKINTSCAN" ], "ibmmq.errorlog.explanation": "The restartable utility task manager has started the MARKINTSCAN task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1611,9 +1611,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "RESOURCE_MONITOR", "", - "" + "", + "RESOURCE_MONITOR" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the RESOURCE_MONITOR task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1645,9 +1645,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "PRESERVED-Q", "", - "" + "", + "PRESERVED-Q" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the PRESERVED-Q task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1679,9 +1679,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "Q-DELETION", "", - "" + "", + "Q-DELETION" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the Q-DELETION task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1713,9 +1713,9 @@ ], "ibmmq.errorlog.code": "AMQ5052I", "ibmmq.errorlog.commentinsert": [ - "QPUBSUB-SUBPT-NLCACHE", "", - "" + "", + "QPUBSUB-SUBPT-NLCACHE" ], "ibmmq.errorlog.explanation": "The publish/subscribe utility task manager has started the QPUBSUB-SUBPT-NLCACHE task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1747,9 +1747,9 @@ ], "ibmmq.errorlog.code": "AMQ5052I", "ibmmq.errorlog.commentinsert": [ - "QPUBSUB-QUEUE-NLCACHE", "", - "" + "", + "QPUBSUB-QUEUE-NLCACHE" ], "ibmmq.errorlog.explanation": "The publish/subscribe utility task manager has started the QPUBSUB-QUEUE-NLCACHE task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1781,9 +1781,9 @@ ], "ibmmq.errorlog.code": "AMQ5051I", "ibmmq.errorlog.commentinsert": [ - "MULTICAST", "", - "" + "", + "MULTICAST" ], "ibmmq.errorlog.explanation": "The critical utility task manager has started the MULTICAST task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1815,9 +1815,9 @@ ], "ibmmq.errorlog.code": "AMQ5052I", "ibmmq.errorlog.commentinsert": [ - "PUBSUB-DAEMON", "", - "" + "", + "PUBSUB-DAEMON" ], "ibmmq.errorlog.explanation": "The publish/subscribe utility task manager has started the PUBSUB-DAEMON task. This task has now started 1 times.", "ibmmq.errorlog.installation": "Installation1", @@ -1849,9 +1849,9 @@ ], "ibmmq.errorlog.code": "AMQ5975I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Controller", "", - "" + "", + "IBM MQ Distributed Pub/Sub Controller" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Controller' has started.", "ibmmq.errorlog.installation": "Installation1", @@ -1883,9 +1883,9 @@ ], "ibmmq.errorlog.code": "AMQ5975I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Publish Task", "", - "" + "", + "IBM MQ Distributed Pub/Sub Publish Task" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Publish Task' has started.", "ibmmq.errorlog.installation": "Installation1", @@ -1917,9 +1917,9 @@ ], "ibmmq.errorlog.code": "AMQ5975I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Fan Out Task", "", - "" + "", + "IBM MQ Distributed Pub/Sub Fan Out Task" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Fan Out Task' has started.", "ibmmq.errorlog.installation": "Installation1", @@ -1951,9 +1951,9 @@ ], "ibmmq.errorlog.code": "AMQ5975I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Command Task", "", - "" + "", + "IBM MQ Distributed Pub/Sub Command Task" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Command Task' has started.", "ibmmq.errorlog.installation": "Installation1", @@ -1980,14 +1980,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "9264", - "" + "", + "9264" ], "ibmmq.errorlog.code": "AMQ5022I", "ibmmq.errorlog.commentinsert": [ - "SYSTEM.CHANNEL.INITQ", "", - "" + "", + "SYSTEM.CHANNEL.INITQ" ], "ibmmq.errorlog.explanation": "The channel initiator process has started.", "ibmmq.errorlog.installation": "Installation1", @@ -2014,14 +2014,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "19060", - "" + "", + "19060" ], "ibmmq.errorlog.code": "AMQ5024I", "ibmmq.errorlog.commentinsert": [ - "SYSTEM.CMDSERVER.1", "", - "" + "", + "SYSTEM.CMDSERVER.1" ], "ibmmq.errorlog.explanation": "The command server process has started.", "ibmmq.errorlog.installation": "Installation1", @@ -2053,9 +2053,9 @@ ], "ibmmq.errorlog.code": "AMQ5806I", "ibmmq.errorlog.commentinsert": [ - "QM2", "", - "" + "", + "QM2" ], "ibmmq.errorlog.explanation": "Queued Publish/Subscribe Daemon started for queue manager QM2.", "ibmmq.errorlog.installation": "Installation1", @@ -2087,9 +2087,9 @@ ], "ibmmq.errorlog.code": "AMQ8024I", "ibmmq.errorlog.commentinsert": [ - "SYSTEM.CHANNEL.INITQ", "", - "" + "", + "SYSTEM.CHANNEL.INITQ" ], "ibmmq.errorlog.explanation": "The channel initiator for queue SYSTEM.CHANNEL.INITQ has been started.", "ibmmq.errorlog.installation": "Installation1", @@ -2116,14 +2116,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "37632", - "" + "", + "37632" ], "ibmmq.errorlog.code": "AMQ5026I", "ibmmq.errorlog.commentinsert": [ - "LISTENER.TCP", "", - "" + "", + "LISTENER.TCP" ], "ibmmq.errorlog.explanation": "The listener process has started.", "ibmmq.errorlog.installation": "Installation1", @@ -2155,9 +2155,9 @@ ], "ibmmq.errorlog.code": "AMQ9002I", "ibmmq.errorlog.commentinsert": [ - "CHL.QM1.QM2", "", - "" + "", + "CHL.QM1.QM2" ], "ibmmq.errorlog.explanation": "Channel 'CHL.QM1.QM2' is starting.", "ibmmq.errorlog.installation": "Installation1", @@ -2189,9 +2189,9 @@ ], "ibmmq.errorlog.code": "AMQ9002I", "ibmmq.errorlog.commentinsert": [ - "CHL.QM2.QM1", "", - "" + "", + "CHL.QM2.QM1" ], "ibmmq.errorlog.explanation": "Channel 'CHL.QM2.QM1' is starting.", "ibmmq.errorlog.installation": "Installation1", @@ -2224,8 +2224,8 @@ ], "ibmmq.errorlog.code": "AMQ9776E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", "127.0.0.1", + "CLI.LOGSTASH", "MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)" ], "ibmmq.errorlog.explanation": "The inbound channel 'CLI.LOGSTASH' was blocked from address '127.0.0.1' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were 'MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)'.", @@ -2258,9 +2258,9 @@ ], "ibmmq.errorlog.code": "AMQ9999E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", + "127.0.0.1", "44852(28928)", - "127.0.0.1" + "CLI.LOGSTASH" ], "ibmmq.errorlog.explanation": "The channel program running under process ID 44852(28928) for channel 'CLI.LOGSTASH' ended abnormally. The host name is '127.0.0.1'; in some cases the host name cannot be determined and so is shown as '????'.", "ibmmq.errorlog.installation": "Installation1", @@ -2293,8 +2293,8 @@ ], "ibmmq.errorlog.code": "AMQ9776E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", "127.0.0.1", + "CLI.LOGSTASH", "MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)" ], "ibmmq.errorlog.explanation": "The inbound channel 'CLI.LOGSTASH' was blocked from address '127.0.0.1' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were 'MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)'.", @@ -2327,9 +2327,9 @@ ], "ibmmq.errorlog.code": "AMQ9999E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", + "127.0.0.1", "44852(22352)", - "127.0.0.1" + "CLI.LOGSTASH" ], "ibmmq.errorlog.explanation": "The channel program running under process ID 44852(22352) for channel 'CLI.LOGSTASH' ended abnormally. The host name is '127.0.0.1'; in some cases the host name cannot be determined and so is shown as '????'.", "ibmmq.errorlog.installation": "Installation1", @@ -2362,8 +2362,8 @@ ], "ibmmq.errorlog.code": "AMQ9776E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", "127.0.0.1", + "CLI.LOGSTASH", "MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)" ], "ibmmq.errorlog.explanation": "The inbound channel 'CLI.LOGSTASH' was blocked from address '127.0.0.1' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were 'MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)'.", @@ -2396,9 +2396,9 @@ ], "ibmmq.errorlog.code": "AMQ9999E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", + "127.0.0.1", "44852(4436)", - "127.0.0.1" + "CLI.LOGSTASH" ], "ibmmq.errorlog.explanation": "The channel program running under process ID 44852(4436) for channel 'CLI.LOGSTASH' ended abnormally. The host name is '127.0.0.1'; in some cases the host name cannot be determined and so is shown as '????'.", "ibmmq.errorlog.installation": "Installation1", @@ -2431,8 +2431,8 @@ ], "ibmmq.errorlog.code": "AMQ9776E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", "127.0.0.1", + "CLI.LOGSTASH", "MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)" ], "ibmmq.errorlog.explanation": "The inbound channel 'CLI.LOGSTASH' was blocked from address '127.0.0.1' because the active values of the channel were mapped to a userid which should be blocked. The active values of the channel were 'MCAUSER(felix) CLNTUSER(felix) ADDRESS(picmention)'.", @@ -2465,9 +2465,9 @@ ], "ibmmq.errorlog.code": "AMQ9999E", "ibmmq.errorlog.commentinsert": [ - "CLI.LOGSTASH", + "127.0.0.1", "44852(34856)", - "127.0.0.1" + "CLI.LOGSTASH" ], "ibmmq.errorlog.explanation": "The channel program running under process ID 44852(34856) for channel 'CLI.LOGSTASH' ended abnormally. The host name is '127.0.0.1'; in some cases the host name cannot be determined and so is shown as '????'.", "ibmmq.errorlog.installation": "Installation1", @@ -2562,14 +2562,14 @@ "host.hostname": "FELIX-ELASTIC", "ibmmq.errorlog.action": "None.", "ibmmq.errorlog.arithinsert": [ - "2162", - "" + "", + "2162" ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "DEFERRED_DELIVERY", "", - "" + "", + "DEFERRED_DELIVERY" ], "ibmmq.errorlog.explanation": "The queue manager task DEFERRED_DELIVERY has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2601,9 +2601,9 @@ ], "ibmmq.errorlog.code": "AMQ9542W", "ibmmq.errorlog.commentinsert": [ - "CHL.QM2.QM1", "", - "" + "", + "CHL.QM2.QM1" ], "ibmmq.errorlog.explanation": "The program will end because the queue manager is quiescing.", "ibmmq.errorlog.installation": "Installation1", @@ -2635,9 +2635,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "ACTVTRC", "", - "" + "", + "ACTVTRC" ], "ibmmq.errorlog.explanation": "The queue manager task ACTVTRC has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2669,9 +2669,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "ASYNCQ", "", - "" + "", + "ASYNCQ" ], "ibmmq.errorlog.explanation": "The queue manager task ASYNCQ has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2703,9 +2703,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "EXPIRER", "", - "" + "", + "EXPIRER" ], "ibmmq.errorlog.explanation": "The queue manager task EXPIRER has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2737,9 +2737,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "DUR-SUBS-MGR", "", - "" + "", + "DUR-SUBS-MGR" ], "ibmmq.errorlog.explanation": "The queue manager task DUR-SUBS-MGR has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2771,9 +2771,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "TOPIC-TREE", "", - "" + "", + "TOPIC-TREE" ], "ibmmq.errorlog.explanation": "The queue manager task TOPIC-TREE has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2805,9 +2805,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "RESOURCE_MONITOR", "", - "" + "", + "RESOURCE_MONITOR" ], "ibmmq.errorlog.explanation": "The queue manager task RESOURCE_MONITOR has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2839,9 +2839,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "Q-DELETION", "", - "" + "", + "Q-DELETION" ], "ibmmq.errorlog.explanation": "The queue manager task Q-DELETION has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2873,9 +2873,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "PRESERVED-Q", "", - "" + "", + "PRESERVED-Q" ], "ibmmq.errorlog.explanation": "The queue manager task PRESERVED-Q has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2907,9 +2907,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "MULTICAST", "", - "" + "", + "MULTICAST" ], "ibmmq.errorlog.explanation": "The queue manager task MULTICAST has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -2941,9 +2941,9 @@ ], "ibmmq.errorlog.code": "AMQ9001I", "ibmmq.errorlog.commentinsert": [ - "CHL.QM2.QM1", + "127.0.0.1(1414)", "37368(31284)", - "127.0.0.1(1414)" + "CHL.QM2.QM1" ], "ibmmq.errorlog.explanation": "Channel 'CHL.QM2.QM1' to host '127.0.0.1(1414)' ended normally.", "ibmmq.errorlog.installation": "Installation1", @@ -2975,9 +2975,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "APP-SIGNAL", "", - "" + "", + "APP-SIGNAL" ], "ibmmq.errorlog.explanation": "The queue manager task APP-SIGNAL has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3009,9 +3009,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "ACTVTRC", "", - "" + "", + "ACTVTRC" ], "ibmmq.errorlog.explanation": "The queue manager task ACTVTRC has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3043,9 +3043,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "DEFERRED-MSG", "", - "" + "", + "DEFERRED-MSG" ], "ibmmq.errorlog.explanation": "The queue manager task DEFERRED-MSG has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3077,9 +3077,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "QPUBSUB-CTRLR", "", - "" + "", + "QPUBSUB-CTRLR" ], "ibmmq.errorlog.explanation": "The queue manager task QPUBSUB-CTRLR has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3111,9 +3111,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "QPUBSUB-QUEUE-NLCACHE", "", - "" + "", + "QPUBSUB-QUEUE-NLCACHE" ], "ibmmq.errorlog.explanation": "The queue manager task QPUBSUB-QUEUE-NLCACHE has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3145,9 +3145,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "STATISTICS", "", - "" + "", + "STATISTICS" ], "ibmmq.errorlog.explanation": "The queue manager task STATISTICS has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3179,9 +3179,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "QPUBSUB-SUBPT-NLCACHE", "", - "" + "", + "QPUBSUB-SUBPT-NLCACHE" ], "ibmmq.errorlog.explanation": "The queue manager task QPUBSUB-SUBPT-NLCACHE has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3213,9 +3213,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "MARKINTSCAN", "", - "" + "", + "MARKINTSCAN" ], "ibmmq.errorlog.explanation": "The queue manager task MARKINTSCAN has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3247,9 +3247,9 @@ ], "ibmmq.errorlog.code": "AMQ5041I", "ibmmq.errorlog.commentinsert": [ - "PUBSUB-DAEMON", "", - "" + "", + "PUBSUB-DAEMON" ], "ibmmq.errorlog.explanation": "The queue manager task PUBSUB-DAEMON has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3280,9 +3280,9 @@ ], "ibmmq.errorlog.code": "AMQ5976I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Publish Task", "", - "" + "", + "IBM MQ Distributed Pub/Sub Publish Task" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Publish Task' has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3313,9 +3313,9 @@ ], "ibmmq.errorlog.code": "AMQ5976I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Command Task", "", - "" + "", + "IBM MQ Distributed Pub/Sub Command Task" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Command Task' has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3346,9 +3346,9 @@ ], "ibmmq.errorlog.code": "AMQ5976I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Fan Out Task", "", - "" + "", + "IBM MQ Distributed Pub/Sub Fan Out Task" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Fan Out Task' has ended.", "ibmmq.errorlog.installation": "Installation1", @@ -3379,9 +3379,9 @@ ], "ibmmq.errorlog.code": "AMQ5976I", "ibmmq.errorlog.commentinsert": [ - "IBM MQ Distributed Pub/Sub Controller", "", - "" + "", + "IBM MQ Distributed Pub/Sub Controller" ], "ibmmq.errorlog.explanation": "'IBM MQ Distributed Pub/Sub Controller' has ended.", "ibmmq.errorlog.installation": "Installation1", diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 18c77acd153..5fa2c90a411 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -23,8 +23,8 @@ "radipis5408.mail.local" ], "related.ip": [ - "10.81.122.126", - "10.70.155.35" + "10.70.155.35", + "10.81.122.126" ], "related.user": [ "aqui", @@ -56,8 +56,8 @@ ], "source.port": 4141, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "tatno" }, @@ -84,8 +84,8 @@ "rsa.time.starttime": "2016-02-12T15:12:33.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "temq" }, @@ -141,8 +141,8 @@ ], "source.port": 3947, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "qua" }, @@ -176,6 +176,10 @@ "related.user": [ "modocons", "lapariat", +<<<<<<< HEAD +======= + "modocons", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "mquidol" ], "rsa.counters.dclass_c1": 6564, @@ -203,8 +207,8 @@ ], "source.port": 7668, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mquidol" }, @@ -234,13 +238,19 @@ "amest4147.mail.host" ], "related.ip": [ - "10.6.137.200", - "10.197.250.10" + "10.197.250.10", + "10.6.137.200" ], "related.user": [ +<<<<<<< HEAD "occae", "oluptas", "intoc" +======= + "intoc", + "occae", + "oluptas" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -270,8 +280,8 @@ ], "source.port": 2707, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "internal.example.net", "url.extension": "html", @@ -311,21 +321,27 @@ "eratv6205.internal.lan" ], "related.ip": [ - "10.36.194.106", - "10.179.124.125" + "10.179.124.125", + "10.36.194.106" ], "related.user": [ +<<<<<<< HEAD "reme", "ncidid", "acommod" +======= + "acommod", + "ncidid", + "reme" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 2462, "rsa.db.database": "uaUteni", "rsa.internal.event_desc": "osqui", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "lamcolab", - "accept" + "accept", + "lamcolab" ], "rsa.misc.category": "xerc", "rsa.misc.disposition": "iutali", @@ -347,8 +363,8 @@ ], "source.port": 1696, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "example.net", "url.extension": "gif", @@ -356,8 +372,8 @@ "url.original": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", "url.path": "/tlabo/uames.gif", "url.query": [ - "ulapa", - "mpo=offi" + "mpo=offi", + "ulapa" ], "url.scheme": "https", "user.name": "ncidid" @@ -386,12 +402,16 @@ "didunt1355.corp" ], "related.ip": [ - "10.211.105.204", - "10.129.149.43" + "10.129.149.43", + "10.211.105.204" ], "related.user": [ + "eveli", "labor", +<<<<<<< HEAD "eveli", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "orema" ], "rsa.counters.dclass_c1": 6855, @@ -419,8 +439,8 @@ ], "source.port": 2742, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "eveli" }, @@ -452,9 +472,15 @@ "10.112.250.193" ], "related.user": [ +<<<<<<< HEAD "ipsumdol", "ide", "Exc" +======= + "Exc", + "ide", + "ipsumdol" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -481,8 +507,8 @@ ], "source.port": 5705, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ipsumdol" }, @@ -513,9 +539,15 @@ "10.251.20.13" ], "related.user": [ +<<<<<<< HEAD "tnonpro", "iquipe", "ovol" +======= + "iquipe", + "ovol", + "tnonpro" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -538,8 +570,8 @@ ], "source.port": 1450, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "iquipe" }, @@ -600,8 +632,8 @@ ], "source.port": 7829, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "archite" }, @@ -633,9 +665,15 @@ "10.168.159.13" ], "related.user": [ +<<<<<<< HEAD "inci", "isnostr", "atemq" +======= + "atemq", + "inci", + "isnostr" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 6135, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -662,8 +700,8 @@ ], "source.port": 2631, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "inci" }, @@ -691,13 +729,18 @@ "atevelit2450.local" ], "related.ip": [ - "10.49.167.57", - "10.41.21.204" + "10.41.21.204", + "10.49.167.57" ], "related.user": [ "ccaeca", +<<<<<<< HEAD "tali", "sau" +======= + "sau", + "tali" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -724,8 +767,8 @@ ], "source.port": 3540, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "tali" }, @@ -792,8 +835,8 @@ ], "source.port": 3406, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "example.org", "url.extension": "html", @@ -801,8 +844,8 @@ "url.original": "https://example.org/umwrit/uptate.html?ctetura=aveni#elit", "url.path": "/umwrit/uptate.html", "url.query": [ - "seosqui", - "ctetura=aveni" + "ctetura=aveni", + "seosqui" ], "url.scheme": "https", "user.name": "llamco" @@ -833,8 +876,8 @@ "umdolor4389.api.home" ], "related.ip": [ - "10.52.125.9", - "10.204.128.215" + "10.204.128.215", + "10.52.125.9" ], "related.user": [ "nci", @@ -869,8 +912,8 @@ ], "source.port": 3689, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "api.example.org", "url.extension": "txt", @@ -936,8 +979,8 @@ ], "source.port": 3022, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "icabo" }, @@ -965,8 +1008,8 @@ "ipi7727.www5.domain" ], "related.ip": [ - "10.226.101.180", - "10.134.5.40" + "10.134.5.40", + "10.226.101.180" ], "related.user": [ "conse", @@ -998,8 +1041,8 @@ ], "source.port": 7284, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "siu" }, @@ -1060,8 +1103,8 @@ ], "source.port": 7576, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "velite" }, @@ -1094,8 +1137,13 @@ ], "related.user": [ "accusant", +<<<<<<< HEAD "quamnih", "item" +======= + "item", + "quamnih" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1122,8 +1170,8 @@ ], "source.port": 136, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "accusant" }, @@ -1150,8 +1198,8 @@ "rsa.time.starttime": "2016-10-12T14:56:16.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "sequa" }, @@ -1179,12 +1227,16 @@ "maliquam2147.internal.home" ], "related.ip": [ - "10.248.184.200", - "10.100.98.56" + "10.100.98.56", + "10.248.184.200" ], "related.user": [ "proident", "boru", +<<<<<<< HEAD +======= + "proident", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "ritati" ], "rsa.counters.dclass_c1": 5923, @@ -1212,8 +1264,8 @@ ], "source.port": 5315, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "boru" }, @@ -1245,9 +1297,15 @@ "10.197.6.245" ], "related.user": [ +<<<<<<< HEAD "oluptat", "aecatcup", "dtempo" +======= + "aecatcup", + "dtempo", + "oluptat" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1274,8 +1332,8 @@ ], "source.port": 3570, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "dtempo" }, @@ -1307,9 +1365,15 @@ "10.6.27.103" ], "related.user": [ +<<<<<<< HEAD "ationul", "redol", "asnu" +======= + "asnu", + "ationul", + "redol" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1336,8 +1400,8 @@ ], "source.port": 2003, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "redol" }, @@ -1372,8 +1436,13 @@ ], "related.user": [ "iameaque", +<<<<<<< HEAD "undeomni", "lmole" +======= + "lmole", + "undeomni" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", @@ -1404,8 +1473,8 @@ ], "source.port": 6165, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "mail.example.com", "url.extension": "gif", @@ -1413,8 +1482,8 @@ "url.original": "https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur", "url.path": "/lorsi/repreh.gif", "url.query": [ - "tionula", - "sitamet=utlabo" + "sitamet=utlabo", + "tionula" ], "url.scheme": "https", "user.name": "undeomni" @@ -1447,9 +1516,15 @@ "10.29.119.245" ], "related.user": [ +<<<<<<< HEAD "scipitl", "taliqui", "edolorin" +======= + "edolorin", + "scipitl", + "taliqui" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1476,8 +1551,8 @@ ], "source.port": 1179, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "scipitl" }, @@ -1513,6 +1588,10 @@ "related.user": [ "etconsec", "caboNem", +<<<<<<< HEAD +======= + "etconsec", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "pta" ], "rsa.counters.event_counter": 5347, @@ -1544,8 +1623,8 @@ ], "source.port": 2064, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "example.org", "url.extension": "htm", @@ -1616,8 +1695,8 @@ ], "source.port": 1877, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "doeiu" }, @@ -1683,8 +1762,8 @@ ], "source.port": 7647, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "internal.example.net", "url.extension": "jpg", @@ -1692,8 +1771,8 @@ "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", "url.path": "/atnula/ditautf.jpg", "url.query": [ - "tan", - "iquidex=olup" + "iquidex=olup", + "tan" ], "url.scheme": "https", "user.name": "emUte" @@ -1755,8 +1834,8 @@ ], "source.port": 2037, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "urau" }, @@ -1788,9 +1867,15 @@ "10.9.46.123" ], "related.user": [ +<<<<<<< HEAD "nde", "oco", "mfu" +======= + "mfu", + "nde", + "oco" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1817,8 +1902,8 @@ ], "source.port": 1634, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mfu" }, @@ -1852,6 +1937,10 @@ "related.user": [ "pta", "mquisnos", +<<<<<<< HEAD +======= + "pta", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "veniamq" ], "rsa.counters.dclass_c1": 2358, @@ -1879,8 +1968,8 @@ ], "source.port": 5994, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "pta" }, @@ -1908,13 +1997,13 @@ "lesti6939.api.local" ], "related.ip": [ - "10.165.182.111", - "10.137.85.123" + "10.137.85.123", + "10.165.182.111" ], "related.user": [ "Bonorum", - "sis", - "ames" + "ames", + "sis" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1941,8 +2030,8 @@ ], "source.port": 218, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ames" }, @@ -1969,8 +2058,8 @@ "rsa.time.starttime": "2017-04-16T10:29:41.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "sumdolo" }, @@ -2037,8 +2126,8 @@ ], "source.port": 3327, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "www.example.net", "url.extension": "htm", @@ -2046,8 +2135,8 @@ "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", "url.path": "/hender/ptatemU.htm", "url.query": [ - "tlabore", - "mquisnos=tnulapa" + "mquisnos=tnulapa", + "tlabore" ], "url.scheme": "https", "user.name": "uian" @@ -2081,8 +2170,13 @@ ], "related.user": [ "aUtenima", +<<<<<<< HEAD "olupta", "olu" +======= + "olu", + "olupta" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2109,8 +2203,8 @@ ], "source.port": 6, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "olu" }, @@ -2138,13 +2232,19 @@ "con6049.internal.lan" ], "related.ip": [ - "10.59.182.36", - "10.18.150.82" + "10.18.150.82", + "10.59.182.36" ], "related.user": [ +<<<<<<< HEAD "qua", "mtota", "luptat" +======= + "luptat", + "mtota", + "qua" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2171,8 +2271,8 @@ ], "source.port": 6648, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mtota" }, @@ -2199,8 +2299,8 @@ "rsa.time.starttime": "2017-06-12T14:39:58.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "llita" }, @@ -2231,8 +2331,13 @@ "10.228.229.144" ], "related.user": [ +<<<<<<< HEAD "ametcons", "ama", +======= + "ama", + "ametcons", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "lam" ], "rsa.counters.dclass_c1": 4325, @@ -2256,8 +2361,8 @@ ], "source.port": 3197, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ametcons" }, @@ -2289,9 +2394,15 @@ "10.242.48.203" ], "related.user": [ +<<<<<<< HEAD "quisn", "ese", "quasi" +======= + "ese", + "quasi", + "quisn" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2318,8 +2429,8 @@ ], "source.port": 2586, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ese" }, @@ -2349,8 +2460,8 @@ "radipis3991.mail.invalid" ], "related.ip": [ - "10.254.10.98", - "10.213.165.165" + "10.213.165.165", + "10.254.10.98" ], "related.user": [ "ttenb", @@ -2386,8 +2497,8 @@ ], "source.port": 4723, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "example.net", "url.extension": "gif", @@ -2395,8 +2506,8 @@ "url.original": "https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui", "url.path": "/itati/oidentsu.gif", "url.query": [ - "lup", - "eporroqu=aturve" + "eporroqu=aturve", + "lup" ], "url.scheme": "https", "user.name": "ttenb" @@ -2424,8 +2535,8 @@ "rsa.time.starttime": "2017-08-08T18:50:15.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ura" }, @@ -2460,16 +2571,21 @@ ], "related.user": [ "amco", +<<<<<<< HEAD "reseo", "eturadip" +======= + "eturadip", + "reseo" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", "rsa.internal.event_desc": "utfugi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "pexeaco", - "accept" + "accept", + "pexeaco" ], "rsa.misc.category": "ursintoc", "rsa.misc.disposition": "tio", @@ -2492,8 +2608,8 @@ ], "source.port": 5439, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "api.example.org", "url.extension": "gif", @@ -2535,9 +2651,15 @@ "10.45.69.152" ], "related.user": [ +<<<<<<< HEAD "umq", "volupta", "tsunt" +======= + "tsunt", + "umq", + "volupta" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2564,8 +2686,8 @@ ], "source.port": 4083, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "volupta" }, @@ -2626,8 +2748,8 @@ ], "source.port": 6971, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ptatev" }, @@ -2654,8 +2776,8 @@ "rsa.time.starttime": "2017-10-04T23:00:32.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "reme" }, @@ -2716,8 +2838,8 @@ ], "source.port": 3510, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ulapari" }, @@ -2778,8 +2900,8 @@ ], "source.port": 4447, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mporin" }, @@ -2812,8 +2934,13 @@ ], "related.user": [ "dol", +<<<<<<< HEAD "iconsequ", "exeac" +======= + "exeac", + "iconsequ" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2840,8 +2967,8 @@ ], "source.port": 3365, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "dol" }, @@ -2901,8 +3028,8 @@ ], "source.port": 6907, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "eriti" }, @@ -2932,13 +3059,19 @@ "mips3283.corp" ], "related.ip": [ - "10.60.164.100", - "10.1.193.187" + "10.1.193.187", + "10.60.164.100" ], "related.user": [ +<<<<<<< HEAD "hite", "ugi", "adipis" +======= + "adipis", + "hite", + "ugi" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", @@ -2969,8 +3102,8 @@ ], "source.port": 2652, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "api.example.net", "url.extension": "htm", @@ -2978,8 +3111,8 @@ "url.original": "https://api.example.net/quam/saute.htm?nostru=docons#emipsumq", "url.path": "/quam/saute.htm", "url.query": [ - "orinr", - "nostru=docons" + "nostru=docons", + "orinr" ], "url.scheme": "https", "user.name": "ugi" @@ -3011,9 +3144,15 @@ "10.248.244.203" ], "related.user": [ +<<<<<<< HEAD "mquamei", "sum", "eiusm" +======= + "eiusm", + "mquamei", + "sum" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3036,8 +3175,8 @@ ], "source.port": 4346, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mquamei" }, @@ -3069,9 +3208,15 @@ "10.122.127.237" ], "related.user": [ +<<<<<<< HEAD "nimv", "ine", "consecte" +======= + "consecte", + "ine", + "nimv" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3098,8 +3243,8 @@ ], "source.port": 3971, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "consecte" }, @@ -3127,8 +3272,8 @@ "agnama5013.internal.example" ], "related.ip": [ - "10.204.223.184", - "10.201.223.119" + "10.201.223.119", + "10.204.223.184" ], "related.user": [ "teni", @@ -3160,8 +3305,8 @@ ], "source.port": 6092, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "rcit" }, @@ -3222,8 +3367,8 @@ ], "source.port": 5899, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "magnido" }, @@ -3290,8 +3435,8 @@ ], "source.port": 428, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "internal.example.com", "url.extension": "htm", @@ -3328,12 +3473,16 @@ "tsun7120.home" ], "related.ip": [ - "10.65.174.196", - "10.191.184.105" + "10.191.184.105", + "10.65.174.196" ], "related.user": [ "tione", "iin", +<<<<<<< HEAD +======= + "tione", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "uta" ], "rsa.counters.dclass_c1": 5836, @@ -3357,8 +3506,8 @@ ], "source.port": 6821, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "iin" }, @@ -3401,8 +3550,8 @@ "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "rumwr", - "deny" + "deny", + "rumwr" ], "rsa.misc.category": "rporis", "rsa.misc.disposition": "etco", @@ -3425,8 +3574,8 @@ ], "source.port": 6078, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "api.example.com", "url.extension": "gif", @@ -3434,8 +3583,8 @@ "url.original": "https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd", "url.path": "/ptatem/mporain.gif", "url.query": [ - "ntore", - "corpo=commod" + "corpo=commod", + "ntore" ], "url.scheme": "https", "user.name": "niam" @@ -3468,8 +3617,13 @@ "10.21.61.134" ], "related.user": [ +<<<<<<< HEAD "mipsa", "imidest", +======= + "imidest", + "mipsa", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "ostr" ], "rsa.counters.dclass_c1": 7766, @@ -3497,8 +3651,8 @@ ], "source.port": 6124, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "imidest" }, @@ -3530,9 +3684,9 @@ "10.221.192.116" ], "related.user": [ - "tevelite", + "iamquisn", "iarchit", - "iamquisn" + "tevelite" ], "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3559,8 +3713,8 @@ ], "source.port": 4688, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "iarchit" }, @@ -3595,8 +3749,13 @@ ], "related.user": [ "animide", +<<<<<<< HEAD "nofde", "modtempo" +======= + "modtempo", + "nofde" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", @@ -3626,8 +3785,8 @@ ], "source.port": 2976, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "www5.example.net", "url.extension": "gif", @@ -3635,8 +3794,8 @@ "url.original": "https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa", "url.path": "/aUten/edutpers.gif", "url.query": [ - "sunt", - "apariatu=mnisis" + "apariatu=mnisis", + "sunt" ], "url.scheme": "https", "user.name": "modtempo" @@ -3671,9 +3830,15 @@ "10.111.22.134" ], "related.user": [ +<<<<<<< HEAD "tqui", "ccusan", "inibusBo" +======= + "ccusan", + "inibusBo", + "tqui" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", @@ -3703,8 +3868,8 @@ ], "source.port": 3124, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "www.example.net", "url.extension": "jpg", @@ -3712,8 +3877,8 @@ "url.original": "https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco", "url.path": "/mvolup/pidat.jpg", "url.query": [ - "ommodoco", - "ents=nsec" + "ents=nsec", + "ommodoco" ], "url.scheme": "https", "user.name": "ccusan" @@ -3746,9 +3911,15 @@ "10.77.86.215" ], "related.user": [ +<<<<<<< HEAD "rcit", "xerc", "meaqu" +======= + "meaqu", + "rcit", + "xerc" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3775,8 +3946,8 @@ ], "source.port": 6390, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "meaqu" }, @@ -3807,9 +3978,15 @@ "10.211.161.187" ], "related.user": [ +<<<<<<< HEAD "sci", "boriosa", "acons" +======= + "acons", + "boriosa", + "sci" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 1578, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3832,8 +4009,8 @@ ], "source.port": 843, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "boriosa" }, @@ -3864,9 +4041,15 @@ "10.254.198.47" ], "related.user": [ +<<<<<<< HEAD "nimvenia", "illoin", "ndeomnis" +======= + "illoin", + "ndeomnis", + "nimvenia" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3889,8 +4072,8 @@ ], "source.port": 3925, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "nimvenia" }, @@ -3918,13 +4101,13 @@ "reseo2067.api.localdomain" ], "related.ip": [ - "10.40.24.93", - "10.182.197.243" + "10.182.197.243", + "10.40.24.93" ], "related.user": [ - "orisnis", "exerci", - "mSecti" + "mSecti", + "orisnis" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3951,8 +4134,8 @@ ], "source.port": 3687, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mSecti" }, @@ -3984,9 +4167,15 @@ "10.108.130.106" ], "related.user": [ +<<<<<<< HEAD "exeacomm", "uisautei", "colab" +======= + "colab", + "exeacomm", + "uisautei" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4013,8 +4202,8 @@ ], "source.port": 7601, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "uisautei" }, @@ -4048,8 +4237,13 @@ "10.64.94.174" ], "related.user": [ +<<<<<<< HEAD "estiae", "Sedut", +======= + "Sedut", + "estiae", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iunt" ], "rsa.counters.event_counter": 7128, @@ -4080,8 +4274,8 @@ ], "source.port": 4082, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "internal.example.org", "url.extension": "txt", @@ -4089,8 +4283,8 @@ "url.original": "https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod", "url.path": "/aev/uovolup.txt", "url.query": [ - "tur", - "aqueip=aqueip" + "aqueip=aqueip", + "tur" ], "url.scheme": "https", "user.name": "Sedut" @@ -4118,8 +4312,8 @@ "rsa.time.starttime": "2018-08-29T16:59:40.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "imad" }, @@ -4146,8 +4340,8 @@ "rsa.time.starttime": "2018-09-13T00:02:15.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "apari" }, @@ -4180,8 +4374,8 @@ ], "related.user": [ "involu", - "utoditau", - "orpori" + "orpori", + "utoditau" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4208,8 +4402,8 @@ ], "source.port": 1809, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "utoditau" }, @@ -4237,8 +4431,8 @@ "iamq2577.internal.corp" ], "related.ip": [ - "10.43.244.252", - "10.251.212.166" + "10.251.212.166", + "10.43.244.252" ], "related.user": [ "gnido", @@ -4270,8 +4464,8 @@ ], "source.port": 3925, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "inculp" }, @@ -4298,8 +4492,8 @@ "rsa.time.starttime": "2018-10-25T21:09:57.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "isunde" }, @@ -4331,9 +4525,9 @@ "10.88.189.164" ], "related.user": [ - "uatDuisa", + "mqu", "tesseq", - "mqu" + "uatDuisa" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4360,8 +4554,8 @@ ], "source.port": 1373, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "tesseq" }, @@ -4388,8 +4582,8 @@ "rsa.time.starttime": "2018-11-23T11:15:06.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "quamquae" }, @@ -4421,9 +4615,15 @@ "10.231.77.26" ], "related.user": [ +<<<<<<< HEAD "volu", "rehe", "ineavol" +======= + "ineavol", + "rehe", + "volu" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4449,8 +4649,8 @@ ], "source.port": 3513, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "rehe" }, @@ -4477,12 +4677,12 @@ "eprehe2455.www.home" ], "related.ip": [ - "10.148.3.197", - "10.106.166.105" + "10.106.166.105", + "10.148.3.197" ], "related.user": [ - "olupt", "avolup", + "olupt", "usa" ], "rsa.counters.dclass_c1": 2658, @@ -4506,8 +4706,8 @@ ], "source.port": 4567, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "usa" }, @@ -4568,8 +4768,8 @@ ], "source.port": 3093, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "iuta" }, @@ -4601,9 +4801,9 @@ "10.42.218.103" ], "related.user": [ - "tisundeo", "dquia", - "tevelit" + "tevelit", + "tisundeo" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4630,8 +4830,8 @@ ], "source.port": 3315, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "tisundeo" }, @@ -4659,8 +4859,8 @@ "ididu5928.www5.local" ], "related.ip": [ - "10.76.121.224", - "10.111.132.221" + "10.111.132.221", + "10.76.121.224" ], "related.user": [ "ali", @@ -4692,8 +4892,8 @@ ], "source.port": 4305, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ali" }, @@ -4725,9 +4925,15 @@ "10.195.8.141" ], "related.user": [ +<<<<<<< HEAD "ota", "enimip", "dolo" +======= + "dolo", + "enimip", + "ota" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4754,8 +4960,8 @@ ], "source.port": 4821, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "enimip" }, @@ -4788,8 +4994,13 @@ ], "related.user": [ "apar", +<<<<<<< HEAD "ptasn", "isn" +======= + "isn", + "ptasn" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4816,8 +5027,8 @@ ], "source.port": 1124, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ptasn" }, @@ -4850,8 +5061,8 @@ ], "related.user": [ "ore", - "tiset", - "orsi" + "orsi", + "tiset" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4878,8 +5089,8 @@ ], "source.port": 3288, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "tiset" }, @@ -4906,8 +5117,8 @@ "rsa.time.starttime": "2019-04-01T02:38:14.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "fugit" }, @@ -4939,9 +5150,15 @@ "10.8.147.176" ], "related.user": [ +<<<<<<< HEAD "aUteni", "incididu", "Loremips" +======= + "Loremips", + "aUteni", + "incididu" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4968,8 +5185,8 @@ ], "source.port": 5920, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "Loremips" }, @@ -4996,13 +5213,19 @@ "dmini3435.internal.domain" ], "related.ip": [ - "10.206.221.180", - "10.116.26.185" + "10.116.26.185", + "10.206.221.180" ], "related.user": [ +<<<<<<< HEAD "oNe", "nseq", "litesseq" +======= + "litesseq", + "nseq", + "oNe" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5025,8 +5248,8 @@ ], "source.port": 6818, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "oNe" }, @@ -5054,12 +5277,16 @@ "nibusBo1864.domain" ], "related.ip": [ - "10.86.180.150", - "10.253.127.130" + "10.253.127.130", + "10.86.180.150" ], "related.user": [ "itasper", "etconsec", +<<<<<<< HEAD +======= + "itasper", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "mnisis" ], "rsa.counters.dclass_c1": 4564, @@ -5087,8 +5314,8 @@ ], "source.port": 5339, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mnisis" }, @@ -5153,8 +5380,8 @@ ], "source.port": 4469, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "internal.example.com", "url.extension": "txt", @@ -5162,8 +5389,8 @@ "url.original": "https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu", "url.path": "/architec/incul.txt", "url.query": [ - "suntincu", - "aborios=mco" + "aborios=mco", + "suntincu" ], "url.scheme": "https", "user.name": "dolo" @@ -5191,8 +5418,8 @@ "rsa.time.starttime": "2019-06-11T13:51:06.000Z", "service.type": "imperva", "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "mpo" }, @@ -5224,8 +5451,13 @@ "10.150.27.144" ], "related.user": [ +<<<<<<< HEAD "res", "ditautf", +======= + "ditautf", + "res", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "tuserror" ], "rsa.counters.dclass_c1": 4367, @@ -5253,8 +5485,8 @@ ], "source.port": 6834, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "res" }, @@ -5315,8 +5547,8 @@ ], "source.port": 7780, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "orsi" }, @@ -5347,9 +5579,15 @@ "10.69.5.227" ], "related.user": [ +<<<<<<< HEAD "rumw", "ntocc", "doloreme" +======= + "doloreme", + "ntocc", + "rumw" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 5201, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5372,8 +5610,8 @@ ], "source.port": 5776, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "doloreme" }, @@ -5434,8 +5672,8 @@ ], "source.port": 5547, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "ate" }, @@ -5469,17 +5707,23 @@ "10.149.91.130" ], "related.user": [ +<<<<<<< HEAD "orumetMa", "aboris", "atus" +======= + "aboris", + "atus", + "orumetMa" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "atcupi" + "atcupi", + "block" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5501,8 +5745,8 @@ ], "source.port": 7756, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "www.example.com", "url.extension": "gif", @@ -5546,9 +5790,15 @@ "10.81.108.232" ], "related.user": [ +<<<<<<< HEAD "neavolup", "uaturve", "aco" +======= + "aco", + "neavolup", + "uaturve" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 5098, "rsa.db.database": "lapa", @@ -5579,8 +5829,8 @@ ], "source.port": 5818, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "internal.example.net", "url.extension": "jpg", @@ -5588,8 +5838,8 @@ "url.original": "https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem", "url.path": "/obeatae/sedqui.jpg", "url.query": [ - "plicab", - "nulap=onseq" + "nulap=onseq", + "plicab" ], "url.scheme": "https", "user.name": "aco" @@ -5657,8 +5907,8 @@ ], "source.port": 2572, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "mail.example.com", "url.extension": "htm", @@ -5701,8 +5951,13 @@ ], "related.user": [ "res", +<<<<<<< HEAD "tasnul", "sequamn" +======= + "sequamn", + "tasnul" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5729,8 +5984,8 @@ ], "source.port": 2748, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "res" }, @@ -5764,17 +6019,23 @@ "10.247.108.144" ], "related.user": [ +<<<<<<< HEAD "tema", "maccusan", "fugia" +======= + "fugia", + "maccusan", + "tema" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.counters.event_counter": 3711, "rsa.db.database": "psa", "rsa.internal.event_desc": "stiaec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "iat", - "block" + "block", + "iat" ], "rsa.misc.category": "officia", "rsa.misc.disposition": "ametcon", @@ -5797,8 +6058,8 @@ ], "source.port": 5677, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "www5.example.org", "url.extension": "htm", @@ -5806,8 +6067,8 @@ "url.original": "https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip", "url.path": "/elaud/temsequ.htm", "url.query": [ - "iquaUte", - "dolo=iciatisu" + "dolo=iciatisu", + "iquaUte" ], "url.scheme": "https", "user.name": "tema" @@ -5835,8 +6096,8 @@ "itseddo2209.mail.domain" ], "related.ip": [ - "10.97.22.61", - "10.192.15.65" + "10.192.15.65", + "10.97.22.61" ], "related.user": [ "nimides", @@ -5864,8 +6125,8 @@ ], "source.port": 6420, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "nimides" }, @@ -5895,8 +6156,8 @@ "duntutl3396.api.host" ], "related.ip": [ - "10.197.254.133", - "10.116.76.161" + "10.116.76.161", + "10.197.254.133" ], "related.user": [ "idu", @@ -5931,8 +6192,8 @@ ], "source.port": 7469, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "url.domain": "mail.example.net", "url.extension": "htm", @@ -6003,8 +6264,8 @@ ], "source.port": 1150, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "upta" }, @@ -6060,8 +6321,8 @@ ], "source.port": 2224, "tags": [ - "imperva.securesphere", - "forwarded" + "forwarded", + "imperva.securesphere" ], "user.name": "quei" } diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 1001568ef10..eedf1296e3f 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -20,8 +20,8 @@ "rsa.time.month": "January", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -45,8 +45,8 @@ "rsa.time.month": "February", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -70,8 +70,8 @@ "rsa.time.month": "February", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -95,8 +95,8 @@ "rsa.time.month": "March", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -121,8 +121,8 @@ "rsa.time.month": "March", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -149,8 +149,8 @@ "rsa.time.month": "April", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -174,8 +174,8 @@ "rsa.time.month": "April", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -206,8 +206,8 @@ "rsa.time.month": "May", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -233,8 +233,8 @@ "rsa.time.month": "May", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -267,8 +267,8 @@ "rsa.time.month": "June", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ], "user.name": "ueipsaqu" }, @@ -294,8 +294,8 @@ "rsa.time.month": "June", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -322,8 +322,8 @@ "rsa.time.month": "July", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -347,8 +347,8 @@ "rsa.time.month": "July", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -373,8 +373,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -400,8 +400,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -425,8 +425,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -451,8 +451,8 @@ "rsa.time.month": "September", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -476,8 +476,8 @@ "rsa.time.month": "September", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -502,8 +502,8 @@ "rsa.time.month": "October", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -527,8 +527,8 @@ "rsa.time.month": "October", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -552,8 +552,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -578,8 +578,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -603,8 +603,8 @@ "rsa.time.month": "December", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -637,8 +637,8 @@ "10.116.104.101" ], "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -663,8 +663,8 @@ "rsa.time.month": "January", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -689,8 +689,8 @@ "rsa.time.month": "January", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -715,8 +715,8 @@ "rsa.time.month": "February", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -756,8 +756,8 @@ "10.153.111.103" ], "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ], "user.name": "doloremi" }, @@ -783,8 +783,8 @@ "rsa.time.month": "March", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -817,8 +817,8 @@ "rsa.time.month": "Mar", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -842,8 +842,8 @@ "rsa.time.month": "April", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -876,8 +876,8 @@ ], "source.port": 2285, "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ], "user.name": "vitaedi" }, @@ -902,8 +902,8 @@ "rsa.time.month": "April", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -934,8 +934,8 @@ "rsa.time.month": "May", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -965,8 +965,8 @@ "10.177.36.38" ], "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -992,8 +992,8 @@ "rsa.time.month": "June", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1017,8 +1017,8 @@ "rsa.time.month": "June", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1042,8 +1042,8 @@ "rsa.time.month": "July", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1067,8 +1067,8 @@ "rsa.time.month": "July", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1096,8 +1096,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1124,8 +1124,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1149,8 +1149,8 @@ "rsa.time.month": "September", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1174,8 +1174,8 @@ "rsa.time.month": "September", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1200,8 +1200,8 @@ "service.type": "infoblox", "source.bytes": 1792, "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1229,8 +1229,8 @@ "rsa.time.month": "Oct", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1254,8 +1254,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1280,8 +1280,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1309,8 +1309,8 @@ "rsa.time.month": "December", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1335,8 +1335,8 @@ "rsa.time.month": "December", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1361,8 +1361,8 @@ "rsa.time.month": "December", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1386,8 +1386,8 @@ "rsa.time.month": "January", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1412,8 +1412,8 @@ "rsa.time.month": "January", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1437,8 +1437,8 @@ "rsa.time.month": "February", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1462,8 +1462,8 @@ "rsa.time.month": "February", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1487,8 +1487,8 @@ "rsa.time.month": "March", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1528,8 +1528,8 @@ "10.204.128.215" ], "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ], "user.name": "lorin" }, @@ -1554,8 +1554,8 @@ "rsa.time.month": "Apr", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1581,8 +1581,8 @@ "rsa.time.month": "April", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1608,8 +1608,8 @@ "rsa.time.month": "May", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1634,8 +1634,8 @@ "rsa.time.month": "May", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1663,8 +1663,8 @@ "rsa.time.month": "Jun", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1689,8 +1689,8 @@ "rsa.time.month": "June", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1714,8 +1714,8 @@ "rsa.time.month": "July", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1742,8 +1742,8 @@ "rsa.time.month": "July", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1768,8 +1768,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1792,8 +1792,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1817,8 +1817,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1843,8 +1843,8 @@ "rsa.time.month": "September", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1876,8 +1876,8 @@ ], "source.port": 4184, "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1903,8 +1903,8 @@ "rsa.time.month": "October", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1928,8 +1928,8 @@ "rsa.time.month": "October", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1953,8 +1953,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -1987,8 +1987,8 @@ "server.top_level_domain": "host", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2012,8 +2012,8 @@ "rsa.time.month": "December", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2046,8 +2046,8 @@ "rsa.time.month": "Dec", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2073,8 +2073,8 @@ "rsa.time.month": "Jan", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2098,8 +2098,8 @@ "rsa.time.month": "January", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2123,8 +2123,8 @@ "rsa.time.month": "February", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2153,8 +2153,8 @@ "service.type": "infoblox", "source.bytes": 2807, "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ], "user.name": "rcit" }, @@ -2179,8 +2179,8 @@ "rsa.time.month": "March", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2204,8 +2204,8 @@ "rsa.time.month": "March", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2229,8 +2229,8 @@ "rsa.time.month": "Apr", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2263,8 +2263,8 @@ "server.top_level_domain": "local", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2289,8 +2289,8 @@ "rsa.time.month": "April", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2314,8 +2314,8 @@ "rsa.time.month": "May", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2339,8 +2339,8 @@ "rsa.time.month": "May", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2364,8 +2364,8 @@ "rsa.time.month": "June", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2390,8 +2390,8 @@ "rsa.time.month": "June", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2408,8 +2408,8 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "uamnihil6127.api.domain", - "olli3116.internal.example" + "olli3116.internal.example", + "uamnihil6127.api.domain" ], "rsa.internal.messageid": "python", "rsa.misc.action": [ @@ -2423,8 +2423,8 @@ "rsa.time.month": "July", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2454,8 +2454,8 @@ "rsa.time.month": "Jul", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2480,8 +2480,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2505,8 +2505,8 @@ "rsa.time.month": "August", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2530,8 +2530,8 @@ "rsa.time.month": "September", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2555,8 +2555,8 @@ "rsa.time.month": "September", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2583,8 +2583,8 @@ "rsa.time.month": "Oct", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2611,8 +2611,8 @@ "service.type": "infoblox", "source.port": 2496, "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2636,8 +2636,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2671,8 +2671,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2696,8 +2696,8 @@ "rsa.time.month": "November", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] }, { @@ -2729,8 +2729,8 @@ "rsa.time.month": "Dec", "service.type": "infoblox", "tags": [ - "infoblox.nios", - "forwarded" + "forwarded", + "infoblox.nios" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index e42e0bc7929..99e78512170 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -12,8 +12,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -46,8 +46,8 @@ "observer.ingress.zone": "wan", "observer.name": "Hostname", "related.ip": [ - "158.109.0.1", - "10.4.0.5" + "10.4.0.5", + "158.109.0.1" ], "rule.id": "default", "rule.name": "wan-lan", @@ -63,6 +63,10 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 38842, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] } diff --git a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json index e986c450d85..853b399ac8c 100644 --- a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json @@ -11,8 +11,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -39,6 +39,10 @@ "source.ip": "192.0.2.71", "source.mac": "90:10:18:5a:89:2a", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] } diff --git a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json index a18c274ec63..eb22954c25b 100644 --- a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json @@ -12,8 +12,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -40,14 +40,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "203.0.113.36", - "172.16.54.114" + "172.16.54.114", + "203.0.113.36" ], "service.type": "iptables", "source.ip": "203.0.113.36", "source.mac": "90:10:9e:ec:2c:71", "source.port": 17805, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -64,8 +68,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -89,14 +93,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "198.51.100.198", - "172.16.54.114" + "172.16.54.114", + "198.51.100.198" ], "service.type": "iptables", "source.ip": "198.51.100.198", "source.mac": "90:10:76:e0:e2:d5", "source.port": 47091, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -113,8 +121,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -141,14 +149,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "203.0.113.201", - "172.16.54.114" + "172.16.54.114", + "203.0.113.201" ], "service.type": "iptables", "source.ip": "203.0.113.201", "source.mac": "90:10:9e:ec:2c:71", "source.port": 59319, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -165,8 +177,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -193,14 +205,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "203.0.113.246", - "172.16.54.114" + "172.16.54.114", + "203.0.113.246" ], "service.type": "iptables", "source.ip": "203.0.113.246", "source.mac": "90:10:9e:ec:2c:71", "source.port": 44181, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -217,8 +233,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -245,14 +261,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "203.0.113.208", - "172.16.54.114" + "172.16.54.114", + "203.0.113.208" ], "service.type": "iptables", "source.ip": "203.0.113.208", "source.mac": "90:10:76:e0:e2:d5", "source.port": 64358, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -269,8 +289,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -294,14 +314,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "198.51.100.160", - "172.16.54.114" + "172.16.54.114", + "198.51.100.160" ], "service.type": "iptables", "source.ip": "198.51.100.160", "source.mac": "90:10:9e:ec:2c:71", "source.port": 58830, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -318,8 +342,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -346,14 +370,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "198.51.100.115", - "172.16.54.114" + "172.16.54.114", + "198.51.100.115" ], "service.type": "iptables", "source.ip": "198.51.100.115", "source.mac": "90:10:76:e0:e2:d5", "source.port": 51985, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -370,8 +398,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -398,14 +426,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "198.51.100.167", - "172.16.54.114" + "172.16.54.114", + "198.51.100.167" ], "service.type": "iptables", "source.ip": "198.51.100.167", "source.mac": "90:10:76:e0:e2:d5", "source.port": 4099, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -422,8 +454,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -447,14 +479,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "198.51.100.19", - "172.16.54.114" + "172.16.54.114", + "198.51.100.19" ], "service.type": "iptables", "source.ip": "198.51.100.19", "source.mac": "90:10:9e:ec:2c:71", "source.port": 59287, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -471,8 +507,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -496,14 +532,18 @@ "network.type": "ipv4", "observer.name": "example-host", "related.ip": [ - "198.51.100.68", - "172.16.54.114" + "172.16.54.114", + "198.51.100.68" ], "service.type": "iptables", "source.ip": "198.51.100.68", "source.mac": "90:10:76:e0:e2:d5", "source.port": 53296, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] } diff --git a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json index 403b6c69e20..dcb4b25ffac 100644 --- a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json @@ -35,6 +35,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -74,6 +78,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -113,6 +121,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -152,6 +164,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -191,6 +207,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -230,6 +250,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -269,6 +293,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -308,6 +336,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -347,6 +379,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -386,6 +422,10 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -427,6 +467,10 @@ "source.ip": "fe80:0000:0000:0000:0084:88ff:feae:790a", "source.mac": "90:10:aa:bb:cc:dd", "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] } diff --git a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json index af2bb0c1ff6..1c15c7bb36c 100644 --- a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json @@ -45,6 +45,10 @@ "source.mac": "90:10:73:ba:d6:77", "source.port": 48689, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -92,8 +96,8 @@ "network.type": "ipv4", "observer.name": "MainFirewall", "related.ip": [ - "192.168.134.158", - "192.0.2.25" + "192.0.2.25", + "192.168.134.158" ], "rule.id": "2000", "rule.name": "WAN_OUT", @@ -102,6 +106,10 @@ "source.mac": "90:10:24:67:f4:89", "source.port": 43189, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -118,8 +126,8 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "log", "input.type": "log", @@ -152,8 +160,8 @@ "observer.ingress.zone": "source", "observer.name": "MainFirewall", "related.ip": [ - "192.168.110.116", - "192.0.2.25" + "192.0.2.25", + "192.168.110.116" ], "rule.id": "default", "rule.name": "source-dest", @@ -162,6 +170,10 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 50093, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -208,8 +220,8 @@ "network.type": "ipv4", "observer.name": "MainFirewall", "related.ip": [ - "192.168.110.116", - "192.0.2.25" + "192.0.2.25", + "192.168.110.116" ], "rule.id": "2000", "rule.name": "WAN_OUT", @@ -218,6 +230,10 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 50093, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] }, @@ -264,8 +280,8 @@ "network.type": "ipv4", "observer.name": "MainFirewall", "related.ip": [ - "192.168.110.116", - "192.0.2.25" + "192.0.2.25", + "192.168.110.116" ], "rule.id": "2000", "rule.name": "WAN_OUT", @@ -274,6 +290,10 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 50093, "tags": [ +<<<<<<< HEAD +======= + "forwarded", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "iptables" ] } diff --git a/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json index 299b588a5f0..e3f30f429b4 100644 --- a/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json @@ -26,8 +26,8 @@ "rsa.time.month": "Jan", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -53,8 +53,8 @@ "rsa.time.month": "Feb", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -85,8 +85,8 @@ "service.name": "uaerat", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -117,8 +117,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -139,8 +139,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -168,8 +168,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -197,8 +197,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -226,8 +226,8 @@ "rsa.time.month": "May", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -259,8 +259,8 @@ "rsa.time.month": "May", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "atiset" }, @@ -282,8 +282,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -304,8 +304,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -332,8 +332,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -361,8 +361,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -388,8 +388,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -418,8 +418,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -447,8 +447,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -477,8 +477,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -499,8 +499,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -529,8 +529,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -563,8 +563,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -587,8 +587,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -628,8 +628,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "atq" }, @@ -658,8 +658,8 @@ "service.name": "nisiu", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -688,8 +688,8 @@ "rsa.time.month": "Dec", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -719,8 +719,8 @@ "rsa.time.month": "Jan", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "naturau" }, @@ -749,8 +749,8 @@ "rsa.time.month": "Jan", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -771,8 +771,8 @@ "rsa.time.month": "Feb", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -791,8 +791,8 @@ "rsa.time.month": "Feb", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -822,8 +822,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -850,8 +850,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -884,8 +884,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -906,8 +906,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -937,8 +937,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -970,8 +970,8 @@ "rsa.time.month": "May", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "moll" }, @@ -1001,8 +1001,8 @@ "rsa.time.month": "May", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1030,8 +1030,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1058,8 +1058,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1086,8 +1086,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1114,8 +1114,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1145,8 +1145,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1174,8 +1174,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1206,8 +1206,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "wri" }, @@ -1237,8 +1237,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1267,8 +1267,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1294,8 +1294,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1330,8 +1330,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "iquipex" }, @@ -1360,8 +1360,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1394,8 +1394,8 @@ "rsa.time.month": "Dec", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "ciatisun" }, @@ -1420,8 +1420,8 @@ "rsa.time.month": "Dec", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1447,8 +1447,8 @@ "rsa.time.month": "Dec", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1476,8 +1476,8 @@ "rsa.time.month": "Jan", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1496,8 +1496,8 @@ "rsa.time.month": "Jan", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1524,8 +1524,8 @@ "service.name": "tsedquia", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1558,8 +1558,8 @@ "rsa.time.month": "Feb", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1580,8 +1580,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1606,8 +1606,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1634,8 +1634,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1662,8 +1662,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1692,8 +1692,8 @@ "rsa.wireless.wlan_ssid": "ors", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1732,8 +1732,8 @@ "rsa.time.month": "May", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "olu" }, @@ -1766,8 +1766,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "deseru" }, @@ -1795,8 +1795,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1817,8 +1817,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1847,8 +1847,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1872,8 +1872,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1902,8 +1902,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1930,8 +1930,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1961,8 +1961,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -1985,8 +1985,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2021,8 +2021,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "rese" }, @@ -2053,8 +2053,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2078,8 +2078,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2105,8 +2105,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2137,8 +2137,8 @@ "rsa.time.month": "Dec", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2168,8 +2168,8 @@ "rsa.time.month": "Dec", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2208,8 +2208,8 @@ "rsa.time.month": "Jan", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ], "user.name": "turQ" }, @@ -2249,8 +2249,8 @@ "10.44.24.103" ], "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2276,8 +2276,8 @@ "rsa.time.month": "Feb", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2307,8 +2307,8 @@ "rsa.time.month": "Feb", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2337,8 +2337,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2366,8 +2366,8 @@ "rsa.time.month": "Mar", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2390,8 +2390,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2417,8 +2417,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2439,8 +2439,8 @@ "rsa.time.month": "Apr", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2468,8 +2468,8 @@ "rsa.time.month": "May", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2490,8 +2490,8 @@ "rsa.time.month": "May", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2520,8 +2520,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2545,8 +2545,8 @@ "rsa.time.month": "Jun", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2570,8 +2570,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2600,8 +2600,8 @@ "rsa.time.month": "Jul", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2628,8 +2628,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2657,8 +2657,8 @@ "rsa.time.month": "Aug", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2686,8 +2686,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2724,8 +2724,8 @@ "rsa.time.month": "Sep", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2746,8 +2746,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2782,8 +2782,8 @@ "rsa.time.month": "Oct", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2813,8 +2813,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2840,8 +2840,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2872,8 +2872,8 @@ "rsa.time.month": "Nov", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] }, { @@ -2901,8 +2901,8 @@ "service.name": "voluptat", "service.type": "juniper", "tags": [ - "juniper.junos", - "forwarded" + "forwarded", + "juniper.junos" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json index 2ca88f3b2d3..4d8ab59ed4b 100644 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -16,8 +16,8 @@ "rsa.misc.severity": "low", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -38,8 +38,8 @@ "rsa.misc.vsys": "moenimi", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -66,8 +66,8 @@ "rsa.time.event_time_str": "ofdeF", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -88,8 +88,8 @@ "rsa.misc.vsys": "ons", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -111,8 +111,8 @@ "rsa.network.network_port": 1044, "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -136,8 +136,8 @@ "rsa.network.interface": "enp0s5377", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -161,8 +161,8 @@ "rsa.misc.vsys": "uat", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "xeac" }, @@ -184,8 +184,8 @@ "rsa.misc.vsys": "pida", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -205,8 +205,8 @@ "rsa.misc.severity": "medium", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -230,8 +230,8 @@ "rsa.misc.vsys": "maccusa", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -253,8 +253,8 @@ "rsa.misc.vsys": "ern", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -281,8 +281,8 @@ "rsa.network.eth_host": "01:00:5e:11:0a:26", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -303,8 +303,8 @@ "rsa.misc.vsys": "atur", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -330,8 +330,8 @@ "rsa.network.network_port": 2509, "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -356,8 +356,8 @@ "rsa.misc.vsys": "boN", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -378,8 +378,8 @@ "rsa.misc.vsys": "uames", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -400,8 +400,8 @@ "rsa.misc.vsys": "issus", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -424,8 +424,8 @@ "rsa.misc.vsys": "spi", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -458,8 +458,8 @@ "10.170.139.87" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "idolo" }, @@ -481,8 +481,8 @@ "rsa.misc.vsys": "diconseq", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -505,8 +505,8 @@ "rsa.misc.vsys": "xercita", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -539,8 +539,8 @@ "10.198.41.214" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -564,8 +564,8 @@ "rsa.misc.vsys": "utlab", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -587,8 +587,8 @@ "rsa.misc.vsys": "ationev", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -617,8 +617,8 @@ "rsa.misc.vsys": "siu", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "rum" }, @@ -642,8 +642,8 @@ "rsa.misc.vsys": "orin", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -676,8 +676,8 @@ ], "source.port": 2883, "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "ntiumto" }, @@ -702,8 +702,8 @@ "rsa.misc.vsys": "rum", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -728,8 +728,8 @@ "rsa.misc.vsys": "aliquamq", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -750,8 +750,8 @@ "rsa.misc.vsys": "labore", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -772,8 +772,8 @@ "rsa.misc.vsys": "nesciun", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -797,8 +797,8 @@ "rsa.misc.vsys": "undeomni", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -823,8 +823,8 @@ "rsa.misc.vsys": "amc", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -849,8 +849,8 @@ "rsa.misc.vsys": "iusmodt", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -873,8 +873,8 @@ "rsa.network.interface": "eth82", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -896,8 +896,8 @@ "rsa.misc.vsys": "tat", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -924,8 +924,8 @@ "rsa.misc.vsys": "utemvel", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "atu" }, @@ -953,8 +953,8 @@ "rsa.network.interface": "enp0s3375", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -978,8 +978,8 @@ "rsa.misc.vsys": "est", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1003,8 +1003,8 @@ "rsa.misc.vsys": "edq", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "ntut" }, @@ -1028,8 +1028,8 @@ "rsa.misc.vsys": "ons", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1050,8 +1050,8 @@ "rsa.misc.vsys": "orem", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1077,8 +1077,8 @@ "rsa.misc.vsys": "periamea", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1099,8 +1099,8 @@ "rsa.misc.vsys": "atura", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1122,8 +1122,8 @@ "rsa.misc.vsys": "uiad", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1147,8 +1147,8 @@ "rsa.network.interface": "eth7686", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1169,8 +1169,8 @@ "rsa.misc.vsys": "uidexeac", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1192,8 +1192,8 @@ "rsa.misc.vsys": "urExc", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1217,8 +1217,8 @@ "rsa.misc.vsys": "oremeumf", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1244,8 +1244,8 @@ "rsa.network.network_port": 76, "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1265,8 +1265,8 @@ "rsa.misc.severity": "high", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1286,8 +1286,8 @@ "rsa.misc.severity": "high", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1308,8 +1308,8 @@ "rsa.misc.vsys": "itametco", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1332,8 +1332,8 @@ "rsa.network.interface": "eth2266", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1365,8 +1365,8 @@ "10.142.21.251" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1387,8 +1387,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.119.53.68", - "10.105.212.51" + "10.105.212.51", + "10.119.53.68" ], "rsa.db.index": "giatqu", "rsa.internal.messageid": "00042", @@ -1401,8 +1401,8 @@ "10.105.212.51" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1435,8 +1435,8 @@ "10.174.2.175" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1457,8 +1457,8 @@ "rsa.misc.vsys": "eirure", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1481,8 +1481,8 @@ "rsa.misc.vsys": "cinge", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1504,8 +1504,8 @@ "rsa.misc.vsys": "tiu", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1526,8 +1526,8 @@ "rsa.misc.vsys": "data", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1554,8 +1554,8 @@ "rsa.misc.vsys": "llitani", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1589,8 +1589,8 @@ ], "source.port": 5523, "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1619,8 +1619,8 @@ "rsa.misc.vsys": "emipsumd", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "saq" }, @@ -1643,8 +1643,8 @@ "rsa.misc.vsys": "ionevo", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1674,8 +1674,8 @@ "10.59.51.171" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "ritquiin" }, @@ -1700,8 +1700,8 @@ "rsa.misc.vsys": "imveni", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1734,8 +1734,8 @@ "10.80.103.229" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "fugitsed" }, @@ -1757,8 +1757,8 @@ "rsa.misc.vsys": "mSecti", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1782,8 +1782,8 @@ "rsa.misc.vsys": "quamqua", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1804,8 +1804,8 @@ "rsa.misc.vsys": "quunturm", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1830,8 +1830,8 @@ "rsa.misc.severity": "low", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1851,8 +1851,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.51.161.245", - "10.193.80.21" + "10.193.80.21", + "10.51.161.245" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "modi", @@ -1863,8 +1863,8 @@ "10.51.161.245" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1885,8 +1885,8 @@ "rsa.misc.severity": "high", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1909,8 +1909,8 @@ "rsa.misc.vsys": "ciun", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1935,8 +1935,8 @@ "rsa.misc.vsys": "iusmod", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1959,8 +1959,8 @@ "rsa.network.interface": "lo4065", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -1990,8 +1990,8 @@ "rsa.misc.vsys": "essequam", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2016,8 +2016,8 @@ "rsa.misc.vsys": "mcorpor", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2042,8 +2042,8 @@ "rsa.misc.vsys": "hen", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "tasnu" }, @@ -2065,8 +2065,8 @@ "rsa.misc.vsys": "equaturQ", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2089,8 +2089,8 @@ "rsa.misc.vsys": "liqui", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2110,8 +2110,8 @@ "rsa.misc.severity": "medium", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2131,8 +2131,8 @@ "rsa.misc.severity": "high", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2154,8 +2154,8 @@ "rsa.misc.vsys": "dminima", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2180,8 +2180,8 @@ "rsa.misc.vsys": "umquam", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2203,8 +2203,8 @@ "rsa.misc.vsys": "equ", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2225,8 +2225,8 @@ "rsa.misc.vsys": "rudexer", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2249,8 +2249,8 @@ "rsa.misc.vsys": "imipsa", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2274,8 +2274,8 @@ "rsa.misc.vsys": "ptate", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2296,8 +2296,8 @@ "rsa.misc.vsys": "veniamqu", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2329,8 +2329,8 @@ "10.126.150.15" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2355,8 +2355,8 @@ "rsa.misc.vsys": "iscive", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2377,8 +2377,8 @@ "rsa.misc.vsys": "hende", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2398,8 +2398,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.166.144.66", - "10.119.181.171" + "10.119.181.171", + "10.166.144.66" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "dol", @@ -2410,8 +2410,8 @@ "10.119.181.171" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2433,8 +2433,8 @@ "rsa.misc.vsys": "archit", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2457,8 +2457,8 @@ "rsa.misc.vsys": "eetdolo", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] }, { @@ -2495,8 +2495,8 @@ "10.96.165.147" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "utla" }, @@ -2534,8 +2534,8 @@ "10.201.72.59" ], "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ], "user.name": "repr" }, @@ -2557,8 +2557,8 @@ "rsa.misc.vsys": "sciuntN", "service.type": "juniper", "tags": [ - "juniper.netscreen", - "forwarded" + "forwarded", + "juniper.netscreen" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index 9227f428e4a..5c788135621 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -17,8 +17,8 @@ "destination.port": 80, "event.action": "malware_detected", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -28,9 +28,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -68,8 +68,8 @@ "source.port": 57116, "source.user.name": "user1", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "www.mytest.com" }, @@ -77,8 +77,8 @@ "@timestamp": "2016-09-20T15:43:30.330-02:00", "event.action": "malware_detected", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -88,9 +88,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -121,15 +121,15 @@ "source.ip": "192.0.2.0", "source.user.name": "admin", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { "@timestamp": "2016-09-20T15:40:30.050-02:00", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -170,8 +170,8 @@ "source.domain": "host.example.com", "source.ip": "192.0.2.0", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -239,8 +239,8 @@ "source.ip": "1.1.1.1", "source.port": 60148, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json index 622200c634a..abc4961d593 100644 --- a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -21,9 +21,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -57,8 +57,8 @@ "source.nat.port": 594, "source.port": 594, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -80,8 +80,8 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "srx", "input.type": "log", @@ -113,8 +113,8 @@ "source.ip": "10.0.0.26", "source.port": 37233, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -142,8 +142,8 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "srx", "input.type": "log", @@ -180,8 +180,8 @@ "source.ip": "1.2.3.4", "source.port": 56639, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -219,9 +219,9 @@ "event.start": "2014-05-01T06:28:10.933-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -268,8 +268,8 @@ "source.packets": 1, "source.port": 63456, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -298,9 +298,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -319,8 +319,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "50.0.0.100", - "30.0.0.100" + "30.0.0.100", + "50.0.0.100" ], "rule.name": "alg-policy", "server.ip": "30.0.0.100", @@ -337,8 +337,8 @@ "source.nat.port": 24065, "source.port": 24065, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -367,9 +367,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -388,9 +388,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "18.51.100.12", "192.0.2.1", - "198.51.100.12", - "18.51.100.12" + "198.51.100.12" ], "rule.name": "policy1", "server.ip": "198.51.100.12", @@ -402,8 +402,8 @@ "source.nat.port": 1, "source.port": 1, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -439,9 +439,9 @@ "event.start": "2010-09-30T04:55:07.188-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -463,9 +463,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "18.51.100.12", "192.0.2.1", - "198.51.100.12", - "18.51.100.12" + "198.51.100.12" ], "rule.name": "policy1", "server.bytes": 84, @@ -481,8 +481,8 @@ "source.packets": 1, "source.port": 1, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -521,9 +521,9 @@ "event.start": "2019-04-12T12:29:06.576-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -553,9 +553,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "10.3.136.49", "10.3.255.203", - "8.23.224.110", - "10.3.136.49" + "8.23.224.110" ], "rule.name": "permit_all", "server.bytes": 535, @@ -571,8 +571,8 @@ "source.packets": 6, "source.port": 47776, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -603,9 +603,9 @@ "event.start": "2019-04-13T12:33:06.576-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -627,8 +627,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "192.168.2.164", - "172.16.1.19" + "172.16.1.19", + "192.168.2.164" ], "rule.name": "35", "server.bytes": 1575, @@ -644,8 +644,8 @@ "source.packets": 13, "source.port": 53232, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -683,9 +683,9 @@ "event.start": "2018-10-06T23:32:20.898-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -737,8 +737,8 @@ "source.packets": 1, "source.port": 52890, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -776,9 +776,9 @@ "event.start": "2018-06-30T00:17:22.753-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -802,9 +802,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "192.168.0.47", "192.168.255.2", - "8.8.8.8", - "192.168.0.47" + "8.8.8.8" ], "rule.name": "trust-to-untrust-001", "server.bytes": 116, @@ -820,8 +820,8 @@ "source.packets": 1, "source.port": 62047, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -852,9 +852,9 @@ "event.start": "2015-09-25T12:19:53.846-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -879,10 +879,10 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.164.110.223", "10.104.12.161", - "10.9.1.150", - "10.12.70.1" + "10.12.70.1", + "10.164.110.223", + "10.9.1.150" ], "rule.name": "FW-FTP", "server.bytes": 0, @@ -898,8 +898,8 @@ "source.packets": 0, "source.port": 9057, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -930,9 +930,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -951,9 +951,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "173.167.224.7", "192.168.224.30", - "207.17.137.56", - "173.167.224.7" + "207.17.137.56" ], "rule.name": "General-Outbound", "server.ip": "207.17.137.56", @@ -975,8 +975,8 @@ "source.nat.port": 14406, "source.port": 3129, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1014,9 +1014,9 @@ "event.start": "2013-01-19T15:18:17.040-02:00", "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -1037,9 +1037,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "173.167.224.7", "192.168.224.30", - "207.17.137.56", - "173.167.224.7" + "207.17.137.56" ], "rule.name": "General-Outbound", "server.bytes": 0, @@ -1065,8 +1065,8 @@ "source.packets": 1, "source.port": 3129, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1104,9 +1104,9 @@ "event.start": "2013-01-19T15:18:17.040-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -1129,9 +1129,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "173.167.224.7", "192.168.224.30", - "207.17.137.56", - "173.167.224.7" + "207.17.137.56" ], "rule.name": "General-Outbound", "server.bytes": 104, @@ -1157,8 +1157,8 @@ "source.packets": 3, "source.port": 3129, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1196,9 +1196,9 @@ "event.start": "2013-01-19T15:18:18.040-02:00", "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -1252,8 +1252,8 @@ "source.port": 33040, "source.user.name": "user1", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1284,9 +1284,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -1337,8 +1337,8 @@ "source.port": 33040, "source.user.name": "user1", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1376,9 +1376,9 @@ "event.start": "2013-01-19T15:18:20.040-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -1431,8 +1431,8 @@ "source.port": 48873, "source.user.name": "user1", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1461,9 +1461,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -1482,8 +1482,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "50.0.0.100", - "30.0.0.100" + "30.0.0.100", + "50.0.0.100" ], "rule.name": "alg-policy", "server.ip": "30.0.0.100", @@ -1500,8 +1500,8 @@ "source.nat.port": 24065, "source.port": 24065, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1523,8 +1523,8 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "srx", "input.type": "log", @@ -1556,8 +1556,8 @@ "source.ip": "10.0.0.26", "source.port": 37233, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1595,9 +1595,9 @@ "event.start": "2020-01-19T15:18:20.040-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -1650,8 +1650,8 @@ "source.port": 48873, "source.user.name": "user1", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1692,9 +1692,9 @@ "event.start": "2020-07-14T12:17:11.928-02:00", "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -1718,8 +1718,8 @@ "observer.vendor": "Juniper", "related.ip": [ "10.1.1.100", - "46.165.154.241", - "172.19.34.100" + "172.19.34.100", + "46.165.154.241" ], "rule.name": "default-permit", "server.bytes": 2132, @@ -1735,8 +1735,8 @@ "source.packets": 42, "source.port": 58943, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1778,9 +1778,9 @@ "event.start": "2020-07-13T14:43:05.041-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -1813,8 +1813,8 @@ "observer.vendor": "Juniper", "related.ip": [ "10.1.1.100", - "91.228.167.172", - "172.19.34.100" + "172.19.34.100", + "91.228.167.172" ], "rule.name": "default-permit", "server.bytes": 9670, @@ -1830,8 +1830,8 @@ "source.packets": 161, "source.port": 64720, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1863,9 +1863,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "srx", "input.type": "log", @@ -1889,8 +1889,8 @@ "observer.vendor": "Juniper", "related.ip": [ "10.1.1.100", - "8.8.8.8", - "172.19.34.100" + "172.19.34.100", + "8.8.8.8" ], "rule.name": "default-permit", "server.ip": "8.8.8.8", @@ -1902,8 +1902,8 @@ "source.nat.port": 30838, "source.port": 49583, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -1941,9 +1941,9 @@ "event.start": "2020-07-13T14:12:05.530-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "srx", "input.type": "log", @@ -1971,8 +1971,8 @@ "observer.vendor": "Juniper", "related.ip": [ "10.1.1.100", - "8.8.8.8", - "172.19.34.100" + "172.19.34.100", + "8.8.8.8" ], "rule.name": "default-permit", "server.bytes": 82, @@ -1988,8 +1988,8 @@ "source.packets": 1, "source.port": 63381, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index 71faf19efc7..3254883ceb9 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -14,8 +14,8 @@ "destination.port": 123, "event.action": "security_threat", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.duration": 0, @@ -28,9 +28,9 @@ "event.start": "2020-03-02T21:13:03.193-02:00", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -62,9 +62,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "0.0.0.0", "10.11.11.1", "187.188.188.10", - "0.0.0.0", "3.3.10.11" ], "related.user": [ @@ -86,8 +86,8 @@ "source.port": 12345, "source.user.name": "unknown-user", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -105,8 +105,8 @@ "destination.port": 123, "event.action": "security_threat", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.duration": 0, @@ -119,9 +119,9 @@ "event.start": "2020-03-02T21:13:03.197-02:00", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -153,9 +153,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ + "0.0.0.0", "10.11.11.1", "187.188.188.10", - "0.0.0.0", "3.3.10.11" ], "related.user": [ @@ -177,8 +177,8 @@ "source.port": 12345, "source.user.name": "unknown-user", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -196,8 +196,8 @@ "destination.port": 80, "event.action": "security_threat", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.duration": 0, @@ -210,9 +210,9 @@ "event.start": "2007-02-15T07:17:15.719-02:00", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -242,10 +242,10 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "183.78.180.27", - "118.127.111.1", "0.0.0.0", - "172.19.13.11" + "118.127.111.1", + "172.19.13.11", + "183.78.180.27" ], "rule.id": "9", "rule.name": "IPS", @@ -262,8 +262,8 @@ "source.packets": 0, "source.port": 45610, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -281,8 +281,8 @@ "destination.port": 80, "event.action": "security_threat", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.duration": 0, @@ -295,9 +295,9 @@ "event.start": "2017-10-12T19:55:55.792-02:00", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -327,10 +327,10 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "183.78.180.27", - "118.127.30.11", "0.0.0.0", - "172.16.1.10" + "118.127.30.11", + "172.16.1.10", + "183.78.180.27" ], "rule.id": "9", "rule.name": "IPS", @@ -347,8 +347,8 @@ "source.packets": 0, "source.port": 45610, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -357,8 +357,8 @@ "destination.port": 80, "event.action": "application_ddos", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -368,9 +368,9 @@ "event.severity": 165, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -400,8 +400,8 @@ "server.port": 80, "service.type": "juniper", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -412,8 +412,8 @@ "destination.port": 80, "event.action": "application_ddos", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -423,9 +423,9 @@ "event.severity": 165, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -458,8 +458,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "192.168.14.214", - "172.27.14.203" + "172.27.14.203", + "192.168.14.214" ], "rule.id": "1", "server.ip": "172.27.14.203", @@ -468,8 +468,8 @@ "source.ip": "192.168.14.214", "source.port": 50825, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -480,8 +480,8 @@ "destination.port": 80, "event.action": "application_ddos", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -491,9 +491,9 @@ "event.severity": 165, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -526,8 +526,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "193.168.14.214", - "172.30.20.201" + "172.30.20.201", + "193.168.14.214" ], "rule.id": "1", "server.ip": "172.30.20.201", @@ -536,8 +536,8 @@ "source.ip": "193.168.14.214", "source.port": 50825, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json index e92c17e6a4c..b0be8ce7108 100644 --- a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -14,8 +14,8 @@ "destination.port": 1433, "event.action": "sweep_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -25,9 +25,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -62,8 +62,8 @@ "source.ip": "113.113.17.17", "source.port": 6000, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -74,8 +74,8 @@ "destination.port": 139, "event.action": "attack_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -85,9 +85,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -113,8 +113,8 @@ "source.ip": "2000:0000:0000:0000:0000:0000:0000:0002", "source.port": 3240, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -132,8 +132,8 @@ "destination.port": 50010, "event.action": "flood_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -143,9 +143,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -178,8 +178,8 @@ "source.ip": "1.1.1.2", "source.port": 40001, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -198,8 +198,8 @@ "destination.port": 53, "event.action": "flood_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -209,9 +209,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -247,8 +247,8 @@ "source.ip": "111.1.1.3", "source.port": 40001, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -265,8 +265,8 @@ "destination.ip": "3.4.2.2", "event.action": "fragment_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -276,9 +276,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -312,8 +312,8 @@ "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -329,8 +329,8 @@ "destination.geo.region_name": "Washington", "destination.ip": "3.4.2.2", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -340,9 +340,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -377,8 +377,8 @@ "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -387,8 +387,8 @@ "destination.ip": "1111::11", "event.action": "tunneling_screen", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -398,9 +398,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -418,15 +418,15 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "1212::12", - "1111::11" + "1111::11", + "1212::12" ], "server.ip": "1111::11", "service.type": "juniper", "source.ip": "1212::12", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -440,8 +440,8 @@ "destination.ip": "11.11.11.1", "event.action": "tunneling_screen", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -451,9 +451,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -471,8 +471,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "12.12.12.1", - "11.11.11.1" + "11.11.11.1", + "12.12.12.1" ], "server.ip": "11.11.11.1", "service.type": "juniper", @@ -485,8 +485,8 @@ "source.geo.location.lon": -97.822, "source.ip": "12.12.12.1", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -501,8 +501,8 @@ "destination.ip": "2.2.2.2", "event.action": "flood_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -512,9 +512,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -536,8 +536,8 @@ "server.ip": "2.2.2.2", "service.type": "juniper", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -545,8 +545,8 @@ "client.ip": "111.1.1.3", "event.action": "flood_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -556,9 +556,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -590,8 +590,8 @@ "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -602,8 +602,8 @@ "destination.port": 10778, "event.action": "scan_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -613,9 +613,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -632,8 +632,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.1.1.100", - "10.1.1.1" + "10.1.1.1", + "10.1.1.100" ], "server.ip": "10.1.1.1", "server.port": 10778, @@ -641,8 +641,8 @@ "source.ip": "10.1.1.100", "source.port": 50630, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -653,8 +653,8 @@ "destination.port": 7, "event.action": "illegal_tcp_flag_detected", "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -664,9 +664,9 @@ "event.severity": 11, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -683,8 +683,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.1.1.100", - "10.1.1.1" + "10.1.1.1", + "10.1.1.100" ], "server.ip": "10.1.1.1", "server.port": 7, @@ -692,8 +692,8 @@ "source.ip": "10.1.1.100", "source.port": 42799, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json index 9385beef0b0..d282ccd1be1 100644 --- a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -7,8 +7,8 @@ "destination.port": 24039, "event.action": "malware_detected", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -18,9 +18,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -45,8 +45,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "5.196.121.161", - "10.10.0.10" + "10.10.0.10", + "5.196.121.161" ], "server.ip": "10.10.0.10", "server.port": 24039, @@ -61,8 +61,8 @@ "source.ip": "5.196.121.161", "source.port": 1, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -73,8 +73,8 @@ "destination.port": 80, "event.action": "malware_detected", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -84,9 +84,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -132,8 +132,8 @@ "source.ip": "1.1.1.1", "source.port": 36612, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "dummy_host" } diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json index 1da203ed451..42e994e057e 100644 --- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -14,8 +14,8 @@ "destination.port": 80, "event.action": "web_filter", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -25,9 +25,9 @@ "event.severity": 12, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -46,8 +46,8 @@ "www.baidu.com" ], "related.ip": [ - "192.168.1.100", - "103.235.46.39" + "103.235.46.39", + "192.168.1.100" ], "related.user": [ "user01" @@ -59,8 +59,8 @@ "source.port": 58071, "source.user.name": "user01", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "www.baidu.com", "url.path": "/" @@ -121,8 +121,8 @@ "source.port": 1402, "source.user.name": "user02", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "www.checkpoint.com", "url.path": "/css/homepage2012.css" @@ -135,8 +135,8 @@ "destination.port": 47095, "event.action": "virus_detected", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -146,9 +146,9 @@ "event.severity": 12, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "file.name": "www.eicar.org/download/eicar.com", "fileset.name": "srx", @@ -168,8 +168,8 @@ "EICAR-Test-File" ], "related.ip": [ - "188.40.238.250", - "10.1.1.103" + "10.1.1.103", + "188.40.238.250" ], "server.ip": "10.1.1.103", "server.port": 47095, @@ -184,8 +184,8 @@ "source.ip": "188.40.238.250", "source.port": 80, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "EICAR-Test-File" }, @@ -223,8 +223,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "74.125.155.147", - "10.1.1.103" + "10.1.1.103", + "74.125.155.147" ], "server.ip": "10.1.1.103", "server.port": 33578, @@ -239,8 +239,8 @@ "source.ip": "74.125.155.147", "source.port": 80, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -275,8 +275,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.2.1.101", - "10.1.1.103" + "10.1.1.103", + "10.2.1.101" ], "server.ip": "10.1.1.103", "server.port": 51727, @@ -284,8 +284,8 @@ "source.ip": "10.2.1.101", "source.port": 80, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -293,8 +293,8 @@ "client.ip": "10.10.10.1", "event.action": "antispam_filter", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -304,9 +304,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -333,8 +333,8 @@ "source.ip": "10.10.10.1", "source.user.name": "user01", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -345,8 +345,8 @@ "destination.port": 80, "event.action": "content_filter", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -356,9 +356,9 @@ "event.severity": 14, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "file.name": "test.cmd", "fileset.name": "srx", @@ -391,8 +391,8 @@ "source.port": 58071, "source.user.name": "user01@testuser.com", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] }, { @@ -410,8 +410,8 @@ "destination.port": 80, "event.action": "web_filter", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -421,9 +421,9 @@ "event.severity": 12, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -442,8 +442,8 @@ "www.baidu.com" ], "related.ip": [ - "192.168.1.100", - "103.235.46.39" + "103.235.46.39", + "192.168.1.100" ], "related.user": [ "user01" @@ -455,8 +455,8 @@ "source.port": 58071, "source.user.name": "user01", "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "www.baidu.com", "url.path": "/" @@ -469,8 +469,8 @@ "destination.port": 47095, "event.action": "virus_detected", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -480,9 +480,9 @@ "event.severity": 12, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "file.name": "www.eicar.org/download/eicar.com", "fileset.name": "srx", @@ -502,8 +502,8 @@ "EICAR-Test-File" ], "related.ip": [ - "188.40.238.250", - "10.1.1.103" + "10.1.1.103", + "188.40.238.250" ], "server.ip": "10.1.1.103", "server.port": 47095, @@ -518,8 +518,8 @@ "source.ip": "188.40.238.250", "source.port": 80, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "EICAR-Test-File" }, @@ -580,8 +580,8 @@ "source.ip": "10.1.1.100", "source.port": 58974, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "datawrapper.dwcdn.net", "url.path": "/" @@ -601,8 +601,8 @@ "destination.port": 443, "event.action": "web_filter", "event.category": [ - "network", - "malware" + "malware", + "network" ], "event.dataset": "juniper.srx", "event.kind": "alert", @@ -613,9 +613,9 @@ "event.severity": 12, "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "srx", "input.type": "log", @@ -646,8 +646,8 @@ "source.ip": "10.1.1.100", "source.port": 59075, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ], "url.domain": "dsp.adfarm1.adition.com", "url.path": "/" @@ -690,8 +690,8 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "related.ip": [ - "23.209.86.45", - "10.1.1.100" + "10.1.1.100", + "23.209.86.45" ], "server.ip": "10.1.1.100", "server.port": 58954, @@ -706,8 +706,8 @@ "source.ip": "23.209.86.45", "source.port": 80, "tags": [ - "juniper.srx", - "forwarded" + "forwarded", + "juniper.srx" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json index 388aa8586a1..81593221228 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -102,8 +102,8 @@ "process.pid": 4104, "process.start": "2020-06-30T09:45:38.9784654Z", "related.hash": [ - "b6d237154f2e528f0b503b58b025862d66b02b73", - "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77" + "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77", + "b6d237154f2e528f0b503b58b025862d66b02b73" ], "related.hosts": [ "testserver4" @@ -141,9 +141,9 @@ "event.start": "2020-06-30T09:04:56.8490679Z", "event.timezone": "UTC", "event.type": [ - "user", "creation", - "start" + "start", + "user" ], "fileset.name": "defender_atp", "host.hostname": "testserver4", @@ -226,8 +226,8 @@ "observer.product": "Defender ATP", "observer.vendor": "Microsoft", "related.hash": [ - "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", - "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281" ], "related.hosts": [ "testserver4" diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index 8bc24bf8ae5..1f3501aa933 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -31,8 +31,8 @@ ], "source.mac": "01:00:5e:ce:bf:42", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "ventore" }, @@ -64,8 +64,8 @@ "10.124.22.221" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -97,8 +97,8 @@ ], "source.mac": "01:00:5e:3a:fe:e3", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -129,8 +129,8 @@ "10.103.162.55" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -162,8 +162,8 @@ ], "source.mac": "01:00:5e:ad:16:77", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -195,8 +195,8 @@ ], "source.mac": "01:00:5e:33:84:66", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -228,8 +228,8 @@ ], "source.mac": "01:00:5e:69:9a:1a", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -264,8 +264,8 @@ ], "source.mac": "01:00:5e:a2:09:ea", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "tionulam" }, @@ -306,8 +306,8 @@ ], "source.mac": "01:00:5e:35:c0:09", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "con" }, @@ -340,8 +340,8 @@ ], "source.mac": "01:00:5e:f5:8e:0d", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -376,8 +376,8 @@ ], "source.mac": "01:00:5e:0b:42:ab", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "uaerat" }, @@ -409,8 +409,8 @@ "10.58.0.245" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -445,8 +445,8 @@ ], "source.mac": "01:00:5e:8b:ba:06", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "ect" }, @@ -480,8 +480,8 @@ "10.163.217.10" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -521,8 +521,8 @@ ], "source.mac": "01:00:5e:42:6c:b4", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "suntinc" }, @@ -555,8 +555,8 @@ ], "source.mac": "01:00:5e:c9:5b:b2", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -587,8 +587,8 @@ "10.111.27.193" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -622,8 +622,8 @@ ], "source.mac": "01:00:5e:e7:c7:cb", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -661,8 +661,8 @@ ], "source.mac": "01:00:5e:a4:f5:60", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "olupta" }, @@ -695,8 +695,8 @@ ], "source.mac": "01:00:5e:10:76:60", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -728,8 +728,8 @@ ], "source.mac": "01:00:5e:b9:7e:b1", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -764,8 +764,8 @@ ], "source.mac": "01:00:5e:fa:2b:37", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -797,8 +797,8 @@ ], "source.mac": "01:00:5e:37:14:9d", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -830,8 +830,8 @@ ], "source.mac": "01:00:5e:59:a3:48", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -863,8 +863,8 @@ ], "source.mac": "01:00:5e:44:c4:69", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -901,8 +901,8 @@ ], "source.mac": "01:00:5e:3a:d0:86", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "ita" }, @@ -934,8 +934,8 @@ "10.97.38.141" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -970,8 +970,8 @@ ], "source.mac": "01:00:5e:24:f1:b2", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1006,8 +1006,8 @@ ], "source.mac": "01:00:5e:31:b9:65", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1039,8 +1039,8 @@ ], "source.mac": "01:00:5e:60:77:c7", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1071,8 +1071,8 @@ "10.17.21.125" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1103,8 +1103,8 @@ "10.73.69.75" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1139,8 +1139,8 @@ ], "source.mac": "01:00:5e:4e:97:83", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "iscinge" }, @@ -1172,8 +1172,8 @@ "10.45.25.68" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1205,8 +1205,8 @@ ], "source.mac": "01:00:5e:cc:0b:8f", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1237,8 +1237,8 @@ "10.68.93.6" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1272,8 +1272,8 @@ ], "source.mac": "01:00:5e:e1:73:47", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1304,8 +1304,8 @@ "10.192.110.182" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1337,8 +1337,8 @@ ], "source.mac": "01:00:5e:a0:cd:2f", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1369,8 +1369,8 @@ "10.148.153.201" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1402,8 +1402,8 @@ ], "source.mac": "01:00:5e:c7:b7:18", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1435,8 +1435,8 @@ ], "source.mac": "01:00:5e:81:99:6f", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1467,8 +1467,8 @@ "10.213.147.241" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1501,8 +1501,8 @@ "10.183.233.5" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1533,8 +1533,8 @@ "10.52.186.29" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1568,8 +1568,8 @@ ], "source.mac": "01:00:5e:35:a8:83", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1604,8 +1604,8 @@ ], "source.mac": "01:00:5e:3b:7a:f1", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1638,8 +1638,8 @@ ], "source.mac": "01:00:5e:1e:d6:07", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1670,8 +1670,8 @@ "10.194.114.58" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1702,8 +1702,8 @@ "10.212.42.224" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1736,8 +1736,8 @@ "10.244.144.198" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1769,8 +1769,8 @@ ], "source.mac": "01:00:5e:5b:99:6c", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1802,8 +1802,8 @@ ], "source.mac": "01:00:5e:78:a7:55", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1835,8 +1835,8 @@ ], "source.mac": "01:00:5e:ed:c2:f7", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1867,8 +1867,8 @@ "10.90.86.89" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1908,8 +1908,8 @@ ], "source.mac": "01:00:5e:69:58:0e", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "ecte" }, @@ -1943,8 +1943,8 @@ "10.158.237.92" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -1979,8 +1979,8 @@ ], "source.mac": "01:00:5e:a7:ac:70", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "stquido" }, @@ -2016,8 +2016,8 @@ ], "source.mac": "01:00:5e:e2:17:79", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "reetdolo" }, @@ -2053,8 +2053,8 @@ "10.20.147.134" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2085,8 +2085,8 @@ "10.213.145.202" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2118,8 +2118,8 @@ ], "source.mac": "01:00:5e:7e:22:1b", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2150,8 +2150,8 @@ "10.76.10.73" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2188,8 +2188,8 @@ ], "source.mac": "01:00:5e:55:ee:a4", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "reetdolo" }, @@ -2222,8 +2222,8 @@ ], "source.mac": "01:00:5e:f6:ba:65", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2254,8 +2254,8 @@ "10.20.129.206" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2295,8 +2295,8 @@ ], "source.mac": "01:00:5e:bb:1d:bf", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "str" }, @@ -2332,8 +2332,8 @@ ], "source.mac": "01:00:5e:c1:3c:48", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2364,8 +2364,8 @@ "10.22.110.210" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2396,8 +2396,8 @@ "10.218.87.174" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2428,8 +2428,8 @@ "10.140.113.244" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2460,8 +2460,8 @@ "10.159.181.29" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2492,8 +2492,8 @@ "10.178.173.128" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2524,8 +2524,8 @@ "10.217.38.30" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2556,8 +2556,8 @@ "10.178.49.161" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2592,8 +2592,8 @@ ], "source.mac": "01:00:5e:fd:3d:c2", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2624,8 +2624,8 @@ "10.175.103.215" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2657,8 +2657,8 @@ ], "source.mac": "01:00:5e:ba:09:4a", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2695,8 +2695,8 @@ ], "source.mac": "01:00:5e:8f:35:71", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "orsit" }, @@ -2737,8 +2737,8 @@ ], "source.mac": "01:00:5e:c7:c2:10", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "odoconse" }, @@ -2771,8 +2771,8 @@ ], "source.mac": "01:00:5e:27:0a:9d", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2805,8 +2805,8 @@ "10.192.21.74" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2837,8 +2837,8 @@ "10.142.25.100" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2872,8 +2872,8 @@ "10.162.114.217" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2912,8 +2912,8 @@ ], "source.mac": "01:00:5e:d8:53:15", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "iduntu" }, @@ -2946,8 +2946,8 @@ ], "source.mac": "01:00:5e:7a:4c:6e", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -2978,8 +2978,8 @@ "10.0.132.176" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3013,8 +3013,8 @@ ], "source.mac": "01:00:5e:0b:fb:4a", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3046,8 +3046,8 @@ ], "source.mac": "01:00:5e:80:9d:2c", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3081,8 +3081,8 @@ "10.22.187.69" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3113,8 +3113,8 @@ "10.2.128.234" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3149,8 +3149,8 @@ "10.223.160.140" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3181,8 +3181,8 @@ "10.137.14.180" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3217,8 +3217,8 @@ ], "source.mac": "01:00:5e:1b:92:a6", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3249,8 +3249,8 @@ "10.192.182.230" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3287,8 +3287,8 @@ ], "source.mac": "01:00:5e:64:62:d1", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "sequat" }, @@ -3324,8 +3324,8 @@ ], "source.mac": "01:00:5e:2f:ff:49", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ], "user.name": "rcit" }, @@ -3361,8 +3361,8 @@ "10.95.241.28" ], "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3394,8 +3394,8 @@ ], "source.mac": "01:00:5e:11:45:1e", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] }, { @@ -3427,8 +3427,8 @@ ], "source.mac": "01:00:5e:01:2f:7d", "tags": [ - "microsoft.dhcp", - "forwarded" + "forwarded", + "microsoft.dhcp" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test-empty.ndjson.log-expected.json b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test-empty.ndjson.log-expected.json index 6b59f0f8c94..e89fc088815 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test-empty.ndjson.log-expected.json +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test-empty.ndjson.log-expected.json @@ -23,8 +23,8 @@ "observer.vendor": "Microsoft", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json index 7091b8b456d..8a6051bf661 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json @@ -62,14 +62,14 @@ "observer.product": "365 Defender", "observer.vendor": "Microsoft", "related.hash": [ - "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", - "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281" ], "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "Malware" @@ -137,14 +137,14 @@ "observer.product": "365 Defender", "observer.vendor": "Microsoft", "related.hash": [ - "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", - "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281" ], "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "Malware" @@ -213,14 +213,14 @@ "observer.product": "365 Defender", "observer.vendor": "Microsoft", "related.hash": [ - "d1bb29ce3d01d01451e3623132545d5f577a1bd6", - "ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a" + "ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a", + "d1bb29ce3d01d01451e3623132545d5f577a1bd6" ], "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "Malware" @@ -289,8 +289,8 @@ "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "Malware" @@ -359,8 +359,8 @@ "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "SuspiciousActivity" @@ -427,8 +427,8 @@ "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "SuspiciousActivity" @@ -497,8 +497,8 @@ "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "SuspiciousActivity" @@ -550,8 +550,8 @@ "rule.description": "Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "SuspiciousActivity" @@ -605,8 +605,8 @@ "rule.description": "Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.", "service.type": "microsoft", "tags": [ - "m365-defender", - "forwarded" + "forwarded", + "m365-defender" ], "threat.framework": "MITRE ATT&CK", "threat.technique.name": "SuspiciousActivity", diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json index e563f918ac7..e8fbe0e1d65 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json @@ -19,11 +19,11 @@ "mysqlenterprise.audit.connection_id": 0, "mysqlenterprise.audit.id": 0, "process.args": [ - "/usr/local/mysql/bin/mysqld", - "--loose-audit-log-format=JSON", "--log-error=log.err", + "--loose-audit-log-format=JSON", "--pid-file=mysqld.pid", - "--port=3306" + "--port=3306", + "/usr/local/mysql/bin/mysqld" ], "process.args_count": 5, "process.command_line": "/usr/local/mysql/bin/mysqld --loose-audit-log-format=JSON --log-error=log.err --pid-file=mysqld.pid --port=3306", @@ -440,8 +440,8 @@ "event.type": [ "access", "connection", - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "input.type": "log", @@ -459,8 +459,8 @@ "localhost" ], "related.user": [ - "root", - "audit_test_user" + "audit_test_user", + "root" ], "server.user.name": "root", "service.type": "mysqlenterprise", @@ -488,8 +488,8 @@ "event.type": [ "access", "connection", - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "input.type": "log", @@ -507,8 +507,8 @@ "localhost" ], "related.user": [ - "root", - "audit_test_user2" + "audit_test_user2", + "root" ], "server.user.name": "root", "service.type": "mysqlenterprise", @@ -1354,8 +1354,8 @@ "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "input.type": "log", @@ -1445,8 +1445,8 @@ "event.outcome": "failure", "event.timezone": "-02:00", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "audit", "input.type": "log", diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 28d5a2d403a..e820cfaf431 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -20,8 +20,8 @@ "rsa.misc.version": "1.6078", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "rci" }, @@ -44,8 +44,8 @@ "rsa.time.starttime": "2016-02-12T15:12:33.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "tatemac" }, @@ -68,8 +68,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "nseq" }, @@ -87,8 +87,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -108,8 +108,8 @@ "rsa.time.starttime": "2016-03-26T12:20:16.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -138,8 +138,8 @@ "10.51.132.10" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -161,8 +161,8 @@ "rsa.time.starttime": "2016-04-24T02:25:25.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "incidi" }, @@ -183,8 +183,8 @@ "rsa.time.starttime": "2016-05-08T09:27:59.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -206,8 +206,8 @@ "rsa.time.starttime": "2016-05-22T16:30:33.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "anti" }, @@ -231,8 +231,8 @@ "rsa.time.starttime": "2016-06-05T23:33:08.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -249,8 +249,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -274,8 +274,8 @@ "rsa.misc.version": "1.5162", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "nci" }, @@ -297,8 +297,8 @@ "rsa.time.endtime": "2016-07-18T20:40:50.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -320,8 +320,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "mail.example.net", "url.extension": "jpg", @@ -351,8 +351,8 @@ "rsa.time.starttime": "2016-08-16T10:45:59.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -371,8 +371,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.66.171.247", - "10.155.162.162" + "10.155.162.162", + "10.66.171.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -382,8 +382,8 @@ "10.66.171.247" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www5.example.org", "url.extension": "jpg", @@ -412,8 +412,8 @@ "rsa.misc.node": "iusmodt", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -435,8 +435,8 @@ "rsa.time.starttime": "2016-09-28T07:53:42.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "uiano" }, @@ -467,8 +467,8 @@ "10.38.77.13" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "example.org", "url.extension": "gif", @@ -495,8 +495,8 @@ "rsa.time.starttime": "2016-10-26T21:58:50.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -522,8 +522,8 @@ "rsa.network.interface": "lo5882", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -549,8 +549,8 @@ "rsa.network.interface": "lo4987", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -572,8 +572,8 @@ "rsa.time.starttime": "2016-12-08T19:06:33.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "qua" }, @@ -591,8 +591,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -614,8 +614,8 @@ "rsa.time.starttime": "2017-01-06T09:11:41.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "turveli" }, @@ -638,8 +638,8 @@ "rsa.time.starttime": "2017-01-20T16:14:16.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "caecatc" }, @@ -665,8 +665,8 @@ "rsa.time.endtime": "2017-02-03T23:16:50.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -686,8 +686,8 @@ "rsa.time.starttime": "2017-02-18T06:19:24.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -706,8 +706,8 @@ "rsa.misc.node": "oin", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -727,8 +727,8 @@ "rsa.time.endtime": "2017-03-18T20:24:33.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -750,8 +750,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "mqui" }, @@ -772,8 +772,8 @@ "rsa.time.starttime": "2017-04-16T10:29:41.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -798,8 +798,8 @@ "rsa.time.starttime": "2017-04-30T17:32:16.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -816,8 +816,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -840,8 +840,8 @@ "rsa.time.starttime": "2017-05-29T07:37:24.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -863,8 +863,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www.example.net", "url.extension": "gif", @@ -891,8 +891,8 @@ "rsa.misc.node": "reetd", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -912,8 +912,8 @@ "rsa.time.endtime": "2017-07-11T04:45:07.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -936,8 +936,8 @@ "rsa.time.starttime": "2017-07-25T11:47:41.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -957,8 +957,8 @@ "rsa.misc.node": "doloremi", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -978,8 +978,8 @@ "rsa.misc.trigger_val": "sci", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1001,8 +1001,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "mail.example.net", "url.extension": "jpg", @@ -1031,8 +1031,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "suntexp" }, @@ -1063,8 +1063,8 @@ "10.136.232.108" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "example.net", "url.extension": "jpg", @@ -1096,8 +1096,8 @@ "rsa.time.endtime": "2017-10-19T06:03:07.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1117,8 +1117,8 @@ "rsa.time.endtime": "2017-11-02T13:05:41.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1139,8 +1139,8 @@ "rsa.time.starttime": "2017-11-16T20:08:15.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1163,8 +1163,8 @@ "rsa.time.starttime": "2017-12-01T03:10:49.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1194,8 +1194,8 @@ "10.83.23.104" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www5.example.org", "url.extension": "txt", @@ -1227,8 +1227,8 @@ "rsa.time.endtime": "2017-12-29T17:15:58.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1245,8 +1245,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1266,8 +1266,8 @@ "rsa.time.starttime": "2018-01-27T07:21:06.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1290,8 +1290,8 @@ "rsa.time.starttime": "2018-02-10T14:23:41.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1313,8 +1313,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "uiac" }, @@ -1334,8 +1334,8 @@ "rsa.misc.node": "iatisu", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1357,8 +1357,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "ersp" }, @@ -1376,8 +1376,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1394,8 +1394,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1417,8 +1417,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "rsitv" }, @@ -1441,8 +1441,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "api.example.com", "url.extension": "html", @@ -1471,8 +1471,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "udexerci" }, @@ -1493,8 +1493,8 @@ "rsa.time.starttime": "2018-06-19T05:46:49.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1518,8 +1518,8 @@ "rsa.misc.version": "1.4425", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "ati" }, @@ -1546,8 +1546,8 @@ "rsa.network.interface": "enp0s4306", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1568,8 +1568,8 @@ "rsa.time.endtime": "2018-08-01T02:54:32.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1598,8 +1598,8 @@ "10.54.49.84" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1616,8 +1616,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1643,8 +1643,8 @@ "rsa.network.interface": "lo4293", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1667,8 +1667,8 @@ "rsa.time.starttime": "2018-09-27T07:04:49.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1688,8 +1688,8 @@ "rsa.misc.trigger_val": "tpersp", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1711,8 +1711,8 @@ "rsa.misc.node": "proiden", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1732,8 +1732,8 @@ "rsa.time.endtime": "2018-11-09T04:12:32.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1756,8 +1756,8 @@ "rsa.time.starttime": "2018-11-23T11:15:06.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1780,8 +1780,8 @@ "rsa.time.starttime": "2018-12-07T18:17:40.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -1811,8 +1811,8 @@ "10.122.76.148" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "mail.example.org", "url.extension": "txt", @@ -1841,8 +1841,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "internal.example.com", "url.extension": "html", @@ -1871,8 +1871,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "internal.example.org", "url.extension": "txt", @@ -1901,8 +1901,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "mail.example.org", "url.extension": "txt", @@ -1939,8 +1939,8 @@ "10.31.177.226" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www.example.org", "url.extension": "html", @@ -1977,8 +1977,8 @@ "10.44.47.27" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www.example.org", "url.extension": "jpg", @@ -2009,8 +2009,8 @@ "rsa.misc.version": "1.2883", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "lor" }, @@ -2031,8 +2031,8 @@ "rsa.misc.trigger_val": "ita", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2049,8 +2049,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2072,8 +2072,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "tMal" }, @@ -2098,8 +2098,8 @@ "rsa.misc.version": "1.2552", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "onu" }, @@ -2119,8 +2119,8 @@ "rsa.misc.node": "norumet", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2143,8 +2143,8 @@ "rsa.time.starttime": "2019-06-11T13:51:06.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2167,8 +2167,8 @@ "rsa.time.starttime": "2019-06-25T20:53:40.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2190,8 +2190,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "orroqu" }, @@ -2209,8 +2209,8 @@ "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2232,8 +2232,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "veniamq" }, @@ -2253,8 +2253,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.55.156.64", - "10.151.129.181" + "10.151.129.181", + "10.55.156.64" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2264,8 +2264,8 @@ "10.151.129.181" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www.example.net", "url.extension": "txt", @@ -2294,8 +2294,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www.example.net", "url.extension": "jpg", @@ -2331,8 +2331,8 @@ "10.46.77.76" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2352,8 +2352,8 @@ "rsa.time.starttime": "2019-10-03T22:11:40.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2376,8 +2376,8 @@ "rsa.time.starttime": "2019-10-18T05:14:14.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2407,8 +2407,8 @@ "10.73.89.189" ], "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "api.example.org", "url.extension": "htm", @@ -2438,8 +2438,8 @@ "rsa.time.starttime": "2019-11-15T19:19:22.000Z", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ] }, { @@ -2461,8 +2461,8 @@ "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "url.domain": "www5.example.com", "url.extension": "htm", @@ -2491,8 +2491,8 @@ "rsa.misc.msgIdPart2": "Log", "service.type": "netscout", "tags": [ - "netscout.sightline", - "forwarded" + "forwarded", + "netscout.sightline" ], "user.name": "rcitat" } diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json index 826e8fbd857..2b9c5c2a092 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json @@ -61,8 +61,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_9d47c163-bf1f-45c5-9b7e-b7b5e88cf451", - "Type": 2 + "ID": "Microsoft Azure AD Identity Protection", + "Type": 1 }, { "ID": "9d47c163-bf1f-45c5-9b7e-b7b5e88cf451", @@ -73,8 +73,8 @@ "Type": 2 }, { - "ID": "Microsoft Azure AD Identity Protection", - "Type": 1 + "ID": "ServicePrincipal_9d47c163-bf1f-45c5-9b7e-b7b5e88cf451", + "Type": 2 }, { "ID": "a3dfc3c6-2c7d-4f42-aeec-b2877f9bce97", @@ -110,8 +110,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -120,24 +120,24 @@ "log.offset": 3360, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -173,10 +173,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_43399311-1c28-4cce-a8bc-7e6e791473f2", - "Type": 2 - }, { "ID": "43399311-1c28-4cce-a8bc-7e6e791473f2", "Type": 2 @@ -186,12 +182,16 @@ "Type": 2 }, { - "ID": "eve@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_43399311-1c28-4cce-a8bc-7e6e791473f2", + "Type": 2 }, { "ID": "1003200113AE1D62", "Type": 3 + }, + { + "ID": "eve@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -202,8 +202,8 @@ "o365.audit.Workload": "AzureActiveDirectory", "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", "related.user": [ - "root", - "eve" + "eve", + "root" ], "service.type": "o365", "tags": [ @@ -230,8 +230,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -240,24 +240,24 @@ "log.offset": 26184, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -279,10 +279,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_21119711-1517-43d4-8138-b537dafad016", - "Type": 2 - }, { "ID": "21119711-1517-43d4-8138-b537dafad016", "Type": 2 @@ -292,12 +288,16 @@ "Type": 2 }, { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { "ID": "1003200112EB07E6", "Type": 3 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -342,14 +342,6 @@ "log.offset": 27662, "network.type": "ipv4", "o365.audit.Actor": [ - { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 - }, - { - "ID": "1003200112EB07E6", - "Type": 3 - }, { "ID": "Microsoft Office 365 Portal", "Type": 1 @@ -359,16 +351,24 @@ "Type": 2 }, { - "ID": "User_21119711-1517-43d4-8138-b537dafad016", + "ID": "21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", + "ID": "User", "Type": 2 }, { - "ID": "User", + "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 + }, + { + "ID": "1003200112EB07E6", + "Type": 3 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -396,10 +396,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -409,12 +405,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -465,24 +465,24 @@ "log.offset": 29455, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -500,10 +500,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -513,12 +509,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -557,24 +557,24 @@ "log.offset": 30817, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -592,10 +592,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -605,12 +601,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -651,14 +651,6 @@ "log.offset": 32157, "network.type": "ipv4", "o365.audit.Actor": [ - { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 - }, - { - "ID": "1003200112EB07E6", - "Type": 3 - }, { "ID": "Microsoft Office 365 Portal", "Type": 1 @@ -668,16 +660,24 @@ "Type": 2 }, { - "ID": "User_21119711-1517-43d4-8138-b537dafad016", + "ID": "21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", + "ID": "User", "Type": 2 }, { - "ID": "User", + "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 + }, + { + "ID": "1003200112EB07E6", + "Type": 3 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -705,10 +705,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -718,12 +714,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -769,8 +769,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -779,14 +779,6 @@ "log.offset": 33960, "network.type": "ipv4", "o365.audit.Actor": [ - { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 - }, - { - "ID": "1003200112EB07E6", - "Type": 3 - }, { "ID": "Microsoft Office 365 Portal", "Type": 1 @@ -796,16 +788,24 @@ "Type": 2 }, { - "ID": "User_21119711-1517-43d4-8138-b537dafad016", + "ID": "21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", + "ID": "User", "Type": 2 }, { - "ID": "User", + "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 + }, + { + "ID": "1003200112EB07E6", + "Type": 3 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -833,10 +833,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -846,12 +842,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -863,8 +863,8 @@ "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", "related.ip": "52.109.68.40", "related.user": [ - "root", - "newuser" + "newuser", + "root" ], "service.type": "o365", "source.as.number": 8075, @@ -911,14 +911,6 @@ "log.offset": 38085, "network.type": "ipv4", "o365.audit.Actor": [ - { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 - }, - { - "ID": "1003200112EB07E6", - "Type": 3 - }, { "ID": "Microsoft Office 365 Portal", "Type": 1 @@ -928,16 +920,24 @@ "Type": 2 }, { - "ID": "User_21119711-1517-43d4-8138-b537dafad016", + "ID": "21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", + "ID": "User", "Type": 2 }, { - "ID": "User", + "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 + }, + { + "ID": "1003200112EB07E6", + "Type": 3 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -963,10 +963,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -976,12 +972,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -1025,8 +1025,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -1035,24 +1035,24 @@ "log.offset": 42153, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -1072,10 +1072,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -1085,12 +1081,16 @@ "Type": 2 }, { - "ID": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -1101,8 +1101,8 @@ "o365.audit.Workload": "AzureActiveDirectory", "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", "related.user": [ - "root", - "6d4ca534c337474d8c766c715b31bc52newuser" + "6d4ca534c337474d8c766c715b31bc52newuser", + "root" ], "service.type": "o365", "tags": [ @@ -1136,24 +1136,24 @@ "log.offset": 43608, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -1171,10 +1171,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -1184,12 +1180,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json index a81af5396cc..2ed3a80f2cd 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -21,15 +21,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -37,12 +37,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -101,8 +101,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -113,8 +113,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -168,15 +168,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -184,12 +184,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -248,8 +248,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -260,8 +260,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -315,15 +315,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -331,12 +331,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -395,8 +395,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -407,8 +407,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -462,15 +462,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -478,12 +478,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -543,23 +543,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -618,15 +618,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -634,12 +634,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -699,23 +699,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -774,15 +774,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -790,12 +790,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -862,23 +862,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -937,15 +937,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -953,12 +953,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1025,23 +1025,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -1100,15 +1100,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -1116,12 +1116,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1188,23 +1188,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -1263,15 +1263,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -1279,12 +1279,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1351,23 +1351,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -1426,15 +1426,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -1442,12 +1442,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1514,23 +1514,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -1589,15 +1589,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -1605,12 +1605,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1677,23 +1677,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -1752,15 +1752,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -1768,12 +1768,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1840,23 +1840,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -1915,15 +1915,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -1931,12 +1931,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2003,23 +2003,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -2078,15 +2078,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -2094,12 +2094,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2166,23 +2166,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -2241,15 +2241,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -2257,12 +2257,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2329,23 +2329,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -2404,15 +2404,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -2420,12 +2420,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2492,23 +2492,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -2567,15 +2567,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -2583,12 +2583,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2655,23 +2655,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -2730,15 +2730,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -2746,12 +2746,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2818,23 +2818,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -2893,15 +2893,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -2909,12 +2909,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2973,8 +2973,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -2985,8 +2985,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3040,15 +3040,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -3056,12 +3056,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3120,8 +3120,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -3132,8 +3132,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3187,15 +3187,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -3203,12 +3203,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3268,23 +3268,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -3343,15 +3343,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -3359,12 +3359,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3423,8 +3423,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -3435,8 +3435,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3490,15 +3490,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -3506,12 +3506,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3570,8 +3570,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -3582,8 +3582,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3637,15 +3637,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -3653,12 +3653,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3717,8 +3717,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", @@ -3729,8 +3729,8 @@ "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3784,15 +3784,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -3800,12 +3800,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3865,23 +3865,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -3940,15 +3940,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -3956,12 +3956,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4028,23 +4028,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -4103,15 +4103,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -4119,12 +4119,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4191,23 +4191,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -4266,15 +4266,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -4282,12 +4282,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4354,23 +4354,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -4429,15 +4429,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -4445,12 +4445,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4517,23 +4517,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -4592,15 +4592,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -4608,12 +4608,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4680,23 +4680,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -4755,15 +4755,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -4771,12 +4771,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4843,23 +4843,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -4918,15 +4918,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -4934,12 +4934,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5006,23 +5006,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -5081,15 +5081,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -5097,12 +5097,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5169,23 +5169,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -5244,15 +5244,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -5260,12 +5260,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5333,23 +5333,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -5408,15 +5408,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -5424,12 +5424,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5497,23 +5497,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -5562,8 +5562,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5572,24 +5572,24 @@ "log.offset": 177305, "o365.audit.Actor": [ { - "ID": "fim_password_service@support.onmicrosoft.com", - "Type": 5 + "ID": "00000000-0000-0000-0000-000000000000", + "Type": 2 }, { - "ID": "100300008060F582", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_00000000-0000-0000-0000-000000000000", "Type": 2 }, { - "ID": "00000000-0000-0000-0000-000000000000", - "Type": 2 + "ID": "100300008060F582", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "fim_password_service@support.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", @@ -5647,10 +5647,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 - }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 2 @@ -5660,12 +5656,16 @@ "Type": 2 }, { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5676,8 +5676,8 @@ "o365.audit.Workload": "AzureActiveDirectory", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": [ - "fim_password_service", - "asr" + "asr", + "fim_password_service" ], "service.type": "o365", "tags": [ @@ -5714,15 +5714,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -5730,12 +5730,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5802,7 +5802,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -5814,11 +5818,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -5877,15 +5877,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -5893,12 +5893,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5965,7 +5965,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -5977,11 +5981,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -6040,15 +6040,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -6056,12 +6056,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6128,7 +6128,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -6140,11 +6144,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -6203,15 +6203,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -6219,12 +6219,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6291,23 +6291,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -6366,15 +6366,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -6382,12 +6382,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6454,23 +6454,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -6529,15 +6529,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -6545,12 +6545,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6617,23 +6617,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -6692,15 +6692,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -6708,12 +6708,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6780,23 +6780,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -6855,15 +6855,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -6871,12 +6871,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6943,23 +6943,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -7018,15 +7018,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -7034,12 +7034,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7106,23 +7106,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -7181,15 +7181,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -7197,12 +7197,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7269,23 +7269,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -7344,15 +7344,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -7360,12 +7360,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7432,23 +7432,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -7507,15 +7507,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -7523,12 +7523,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7595,23 +7595,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -7670,15 +7670,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -7686,12 +7686,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7758,23 +7758,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -7833,15 +7833,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -7849,12 +7849,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7921,23 +7921,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -7996,15 +7996,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -8012,12 +8012,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8084,23 +8084,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -8159,15 +8159,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -8175,12 +8175,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8248,23 +8248,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -8323,15 +8323,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -8339,12 +8339,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8412,23 +8412,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "ID": "siem", + "Type": 1 }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", "Type": 2 }, { - "ID": "siem", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", "Type": 2 }, { @@ -8487,15 +8487,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -8503,12 +8503,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8575,7 +8575,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -8587,11 +8591,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -8650,15 +8650,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -8666,12 +8666,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8738,7 +8738,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -8750,11 +8754,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -8813,15 +8813,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -8829,12 +8829,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8901,7 +8901,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -8913,11 +8917,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -8976,15 +8976,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -8992,12 +8992,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9064,23 +9064,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "ID": "Microsoft Graph", + "Type": 1 }, { - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 + "ID": "ServicePrincipal", + "Type": 2 }, { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -9139,15 +9139,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -9155,12 +9155,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9227,23 +9227,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -9302,15 +9302,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -9318,12 +9318,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9390,23 +9390,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -9465,15 +9465,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -9481,12 +9481,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9553,23 +9553,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -9628,15 +9628,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -9644,12 +9644,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9716,23 +9716,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -9791,15 +9791,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -9807,12 +9807,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9879,23 +9879,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -9954,15 +9954,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -9970,12 +9970,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10040,8 +10040,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -10052,8 +10052,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10107,15 +10107,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -10123,12 +10123,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10193,8 +10193,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -10205,8 +10205,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10260,15 +10260,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -10276,12 +10276,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10346,8 +10346,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -10358,8 +10358,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10413,15 +10413,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -10429,12 +10429,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10499,8 +10499,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -10511,8 +10511,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10566,15 +10566,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -10582,12 +10582,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10649,10 +10649,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 - }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 2 @@ -10662,12 +10658,16 @@ "Type": 2 }, { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10721,15 +10721,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -10737,12 +10737,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10812,11 +10812,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -10824,11 +10824,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -10887,15 +10887,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -10903,12 +10903,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10978,11 +10978,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -10990,11 +10990,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -11053,15 +11053,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -11069,12 +11069,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11144,11 +11144,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -11156,11 +11156,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -11219,15 +11219,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -11235,12 +11235,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11310,11 +11310,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -11322,11 +11322,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -11385,15 +11385,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -11401,12 +11401,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11461,8 +11461,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -11473,8 +11473,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11528,15 +11528,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -11544,12 +11544,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11608,8 +11608,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -11620,8 +11620,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11675,15 +11675,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -11691,12 +11691,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11755,8 +11755,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -11767,8 +11767,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11822,15 +11822,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -11838,12 +11838,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11903,11 +11903,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -11915,11 +11915,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -11978,15 +11978,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -11994,12 +11994,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12059,11 +12059,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -12071,11 +12071,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -12134,15 +12134,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -12150,12 +12150,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12215,11 +12215,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -12227,11 +12227,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -12290,15 +12290,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -12306,12 +12306,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12370,8 +12370,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -12382,8 +12382,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12437,15 +12437,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -12453,12 +12453,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12517,8 +12517,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -12529,8 +12529,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12584,15 +12584,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -12600,12 +12600,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12664,8 +12664,8 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", @@ -12676,8 +12676,8 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 } ], "o365.audit.TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12731,15 +12731,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -12747,12 +12747,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12812,11 +12812,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -12824,11 +12824,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -12887,15 +12887,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -12903,12 +12903,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12968,11 +12968,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -12980,11 +12980,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -13043,15 +13043,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -13059,12 +13059,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13124,11 +13124,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -13136,11 +13136,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -13199,15 +13199,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -13215,12 +13215,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13287,23 +13287,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -13362,15 +13362,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -13378,12 +13378,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13450,23 +13450,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -13525,15 +13525,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -13541,12 +13541,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13613,23 +13613,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -13688,15 +13688,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -13704,12 +13704,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13776,23 +13776,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -13851,15 +13851,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -13867,12 +13867,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13939,23 +13939,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -14014,15 +14014,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -14030,12 +14030,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14102,23 +14102,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -14177,15 +14177,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -14193,12 +14193,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14265,23 +14265,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -14340,15 +14340,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -14356,12 +14356,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14428,23 +14428,23 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "ID": "ServicePrincipal", "Type": 2 }, { - "ID": "ServicePrincipal", + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { - "ID": "Office 365 Management APIs", - "Type": 1 + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", "Type": 2 }, { @@ -14503,15 +14503,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -14519,12 +14519,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14591,7 +14591,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -14603,11 +14607,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -14666,15 +14666,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -14682,12 +14682,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14754,7 +14754,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -14766,11 +14770,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -14829,15 +14829,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -14845,12 +14845,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14917,7 +14917,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "ID": "Microsoft Graph", + "Type": 1 + }, + { + "ID": "00000003-0000-0000-c000-000000000000", "Type": 2 }, { @@ -14929,11 +14933,7 @@ "Type": 2 }, { - "ID": "Microsoft Graph", - "Type": 1 - }, - { - "ID": "00000003-0000-0000-c000-000000000000", + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", "Type": 2 }, { @@ -14992,15 +14992,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -15008,12 +15008,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15081,11 +15081,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -15093,11 +15093,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -15156,15 +15156,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -15172,12 +15172,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15245,11 +15245,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -15257,11 +15257,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -15320,15 +15320,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -15336,12 +15336,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15409,11 +15409,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -15421,11 +15421,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -15484,15 +15484,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -15500,12 +15500,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15570,11 +15570,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -15582,11 +15582,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -15645,15 +15645,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -15661,12 +15661,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15731,11 +15731,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -15743,11 +15743,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { @@ -15806,15 +15806,15 @@ "network.type": "ipv4", "o365.audit.Actor": [ { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "ID": "1003200096971F55", - "Type": 3 + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "ID": "User", "Type": 2 }, { @@ -15822,12 +15822,12 @@ "Type": 2 }, { - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "ID": "1003200096971F55", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15892,11 +15892,11 @@ "o365.audit.SupportTicketId": "", "o365.audit.Target": [ { - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "ID": "siem2", + "Type": 1 }, { - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "Type": 2 }, { @@ -15904,11 +15904,11 @@ "Type": 2 }, { - "ID": "siem2", - "Type": 1 + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "Type": 2 }, { diff --git a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json index 7996a2d808d..6eae8240451 100644 --- a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json @@ -2,8 +2,8 @@ { "@timestamp": "2020-02-24T20:11:15.000Z", "destination.user.email": [ - "asr@example.org", - "asr@example.net" + "asr@example.net", + "asr@example.org" ], "event.action": "DlpRuleMatch", "event.category": "file", @@ -134,8 +134,8 @@ "o365.audit.Workload": "Exchange", "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "rule.id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "51e3d97a-1234-4645-9092-608bd24e083a", + "51e3d97a-e159-4645-9092-608bd24e083a" ], "rule.name": [ "High volume of content detected test", @@ -151,8 +151,8 @@ { "@timestamp": "2020-02-24T20:11:15.000Z", "destination.user.email": [ - "asr@example.org", - "asr@example.net" + "asr@example.net", + "asr@example.org" ], "event.action": "DlpRuleUndo", "event.category": "file", @@ -283,8 +283,8 @@ "o365.audit.Workload": "Exchange", "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "rule.id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "51e3d97a-1234-4645-9092-608bd24e083a", + "51e3d97a-e159-4645-9092-608bd24e083a" ], "rule.name": [ "High volume of content detected test", @@ -300,8 +300,8 @@ { "@timestamp": "2020-02-24T20:11:15.000Z", "destination.user.email": [ - "asr@example.org", - "asr@example.net" + "asr@example.net", + "asr@example.org" ], "event.action": "DlpRuleMatch", "event.category": "file", @@ -433,8 +433,8 @@ "o365.audit.Workload": "Exchange", "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "rule.id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "51e3d97a-1234-4645-9092-608bd24e083a", + "51e3d97a-e159-4645-9092-608bd24e083a" ], "rule.name": [ "High volume of content detected test", @@ -450,8 +450,8 @@ { "@timestamp": "2020-02-24T20:11:15.000Z", "destination.user.email": [ - "asr@example.org", - "asr@example.net" + "asr@example.net", + "asr@example.org" ], "event.action": "DlpRuleMatch", "event.category": "file", @@ -583,8 +583,8 @@ "o365.audit.Workload": "Exchange", "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "rule.id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "51e3d97a-1234-4645-9092-608bd24e083a", + "51e3d97a-e159-4645-9092-608bd24e083a" ], "rule.name": [ "High volume of content detected test", @@ -600,8 +600,8 @@ { "@timestamp": "2020-02-24T20:11:15.000Z", "destination.user.email": [ - "asr@example.org", - "asr@example.net" + "asr@example.net", + "asr@example.org" ], "event.action": "DlpRuleMatch", "event.category": "file", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 749af2475a3..986c8a23ca9 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -13,8 +13,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -27,13 +27,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -112,8 +112,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -126,13 +126,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -211,8 +211,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -225,13 +225,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -310,8 +310,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -324,13 +324,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -409,8 +409,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -423,13 +423,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -508,8 +508,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -522,13 +522,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -607,8 +607,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -621,13 +621,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -706,8 +706,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -720,13 +720,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -805,8 +805,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -819,13 +819,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -904,8 +904,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -918,13 +918,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1003,8 +1003,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1017,13 +1017,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1102,8 +1102,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1116,13 +1116,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1201,8 +1201,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1215,13 +1215,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1300,8 +1300,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1314,13 +1314,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1399,8 +1399,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1413,13 +1413,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1495,8 +1495,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1509,13 +1509,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1594,8 +1594,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1608,13 +1608,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1693,8 +1693,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1707,13 +1707,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1789,8 +1789,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1803,13 +1803,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1888,8 +1888,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1902,13 +1902,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1987,8 +1987,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2001,13 +2001,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2086,8 +2086,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2100,13 +2100,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2185,8 +2185,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2199,13 +2199,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2284,8 +2284,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2298,13 +2298,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2383,8 +2383,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2397,13 +2397,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2482,8 +2482,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2496,13 +2496,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2581,8 +2581,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2595,13 +2595,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2680,8 +2680,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2694,13 +2694,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2779,8 +2779,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2793,13 +2793,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2878,8 +2878,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2892,13 +2892,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2976,8 +2976,8 @@ "event.outcome": "failure", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_failure" + "authentication_failure", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2990,13 +2990,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3076,8 +3076,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3161,8 +3161,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3175,13 +3175,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3260,8 +3260,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3345,8 +3345,8 @@ "event.outcome": "failure", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_failure" + "authentication_failure", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3359,13 +3359,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3445,8 +3445,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3530,8 +3530,8 @@ "event.outcome": "failure", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_failure" + "authentication_failure", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3544,13 +3544,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3630,8 +3630,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3644,13 +3644,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3729,8 +3729,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3743,13 +3743,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3828,8 +3828,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3913,8 +3913,8 @@ "event.outcome": "failure", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_failure" + "authentication_failure", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3927,13 +3927,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4013,8 +4013,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4027,13 +4027,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4109,8 +4109,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4123,13 +4123,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4208,8 +4208,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4222,13 +4222,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4307,8 +4307,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4392,8 +4392,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4406,13 +4406,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4491,8 +4491,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4505,13 +4505,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4590,8 +4590,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4604,13 +4604,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4689,8 +4689,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4703,13 +4703,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4788,8 +4788,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4802,13 +4802,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4887,8 +4887,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4901,13 +4901,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4986,8 +4986,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5000,13 +5000,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5085,8 +5085,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5099,13 +5099,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5184,8 +5184,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5198,13 +5198,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5283,8 +5283,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5297,13 +5297,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5382,8 +5382,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5396,13 +5396,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5481,8 +5481,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5495,13 +5495,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5580,8 +5580,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5594,13 +5594,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5679,8 +5679,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5693,13 +5693,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5775,8 +5775,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5789,13 +5789,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5874,8 +5874,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5888,13 +5888,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5973,8 +5973,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5987,13 +5987,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6072,8 +6072,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6086,13 +6086,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6171,8 +6171,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6185,13 +6185,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6270,8 +6270,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6284,13 +6284,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6369,8 +6369,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6383,13 +6383,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6468,8 +6468,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6482,13 +6482,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6567,8 +6567,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6581,13 +6581,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6666,8 +6666,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6680,13 +6680,13 @@ "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", "Type": 0 }, - { - "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 - }, { "ID": "1003200096971F55", "Type": 3 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json index e6326bf27b1..208c07f1fbc 100644 --- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -14,8 +14,8 @@ "event.outcome": "success", "event.provider": "Yammer", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "audit", "group.name": "Sales", @@ -76,8 +76,8 @@ "event.outcome": "success", "event.provider": "Yammer", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "audit", "group.name": "Company group", diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json index 89a70bc165f..b0d29652926 100644 --- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json @@ -11,8 +11,8 @@ "event.outcome": "success", "event.provider": "MicrosoftTeams", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "audit", "group.name": "users", @@ -55,8 +55,8 @@ "event.outcome": "success", "event.provider": "MicrosoftTeams", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -1312,8 +1312,8 @@ "event.outcome": "success", "event.provider": "MicrosoftTeams", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "audit", "group.name": "users", @@ -1356,8 +1356,8 @@ "event.outcome": "success", "event.provider": "MicrosoftTeams", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -2615,8 +2615,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -2709,8 +2709,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -2803,8 +2803,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -2897,8 +2897,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -2989,8 +2989,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "user", - "deletion" + "deletion", + "user" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -2999,24 +2999,24 @@ "log.offset": 41567, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -3036,10 +3036,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -3049,12 +3045,16 @@ "Type": 2 }, { - "ID": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -3065,8 +3065,8 @@ "o365.audit.Workload": "AzureActiveDirectory", "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e", "related.user": [ - "root", - "6d4ca534c337474d8c766c715b31bc52newuser" + "6d4ca534c337474d8c766c715b31bc52newuser", + "root" ], "service.type": "o365", "tags": [ @@ -3100,24 +3100,24 @@ "log.offset": 43022, "o365.audit.Actor": [ { - "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 2 }, { - "ID": "1003200112EB07E6", - "Type": 3 + "ID": "User", + "Type": 2 }, { "ID": "User_21119711-1517-43d4-8138-b537dafad016", "Type": 2 }, { - "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 2 + "ID": "1003200112EB07E6", + "Type": 3 }, { - "ID": "User", - "Type": 2 + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -3135,10 +3135,6 @@ "o365.audit.ResultStatus": "Success", "o365.audit.SupportTicketId": "", "o365.audit.Target": [ - { - "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", - "Type": 2 - }, { "ID": "6d4ca534-c337-474d-8c76-6c715b31bc52", "Type": 2 @@ -3148,12 +3144,16 @@ "Type": 2 }, { - "ID": "newuser@testsiem4.onmicrosoft.com", - "Type": 5 + "ID": "User_6d4ca534-c337-474d-8c76-6c715b31bc52", + "Type": 2 }, { "ID": "10032001131B9761", "Type": 3 + }, + { + "ID": "newuser@testsiem4.onmicrosoft.com", + "Type": 5 } ], "o365.audit.TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -3187,8 +3187,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -3283,8 +3283,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -3379,8 +3379,8 @@ "event.outcome": "success", "event.provider": "AzureActiveDirectory", "event.type": [ - "start", - "authentication_success" + "authentication_success", + "start" ], "fileset.name": "audit", "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e", diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json index 4d3bf4463fc..60f79dc7c22 100644 --- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json @@ -11,8 +11,8 @@ "event.outcome": "success", "event.provider": "MicrosoftTeams", "event.type": [ - "group", - "creation" + "creation", + "group" ], "fileset.name": "audit", "group.name": "SIEMTest", @@ -50,8 +50,8 @@ "event.outcome": "success", "event.provider": "MicrosoftTeams", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -63,24 +63,24 @@ "o365.audit.ItemName": "SIEMTest", "o365.audit.Members": [ { - "DisplayName": "David", + "DisplayName": "Alice", "Role": 1, - "UPN": "david@testsiem.onmicrosoft.com" + "UPN": "alice@testsiem.onmicrosoft.com" }, { - "DisplayName": "Chuck", + "DisplayName": "Bob", "Role": 1, - "UPN": "chuck@testsiem.onmicrosoft.com" + "UPN": "bob@testsiem.onmicrosoft.com" }, { - "DisplayName": "Bob", + "DisplayName": "Chuck", "Role": 1, - "UPN": "bob@testsiem.onmicrosoft.com" + "UPN": "chuck@testsiem.onmicrosoft.com" }, { - "DisplayName": "Alice", + "DisplayName": "David", "Role": 1, - "UPN": "alice@testsiem.onmicrosoft.com" + "UPN": "david@testsiem.onmicrosoft.com" } ], "o365.audit.Operation": "MemberAdded", @@ -95,11 +95,11 @@ "o365.audit.Workload": "MicrosoftTeams", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": [ - "david@testsiem.onmicrosoft.com", - "chuck@testsiem.onmicrosoft.com", - "bob@testsiem.onmicrosoft.com", "alice@testsiem.onmicrosoft.com", - "asr" + "asr", + "bob@testsiem.onmicrosoft.com", + "chuck@testsiem.onmicrosoft.com", + "david@testsiem.onmicrosoft.com" ], "service.type": "o365", "tags": [ @@ -122,8 +122,8 @@ "event.outcome": "success", "event.provider": "MicrosoftTeams", "event.type": [ - "group", - "change" + "change", + "group" ], "fileset.name": "audit", "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -152,8 +152,8 @@ "o365.audit.Workload": "MicrosoftTeams", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": [ - "asr@testsiem.onmicrosoft.com", - "asr" + "asr", + "asr@testsiem.onmicrosoft.com" ], "service.type": "o365", "tags": [ diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json new file mode 100644 index 00000000000..4f722ffd591 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json @@ -0,0 +1,308 @@ +[ + { + "@timestamp": "2021-03-24T11:30:00.000-02:00", + "client.address": "10.52.36.15", + "client.ip": "10.52.36.15", + "client.nat.ip": "11.134.5.168", + "event.code": "portal-prelogin", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "09300bcc-23-4900-8de9-32695452fa", + "host.ip": "10.52.36.15", + "host.os.family": "Windows", + "host.os.full": "Microsoft Windows 10 Pro , 64-bit", + "input.type": "log", + "log.offset": 0, + "log.original": "1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect Portal,69200719497738,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect Portal", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 69200719497738, + "panw.panos.source.nat.ip": "11.134.5.168", + "panw.panos.stage": "before-login", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect Portal" + ], + "related.ip": [ + "10.52.36.15", + "11.134.5.168" + ], + "service.type": "panw", + "source.address": "10.52.36.15", + "source.geo.name": "BE", + "source.ip": "10.52.36.15", + "source.nat.ip": "11.134.5.168", + "tags": [ + "forwarded", + "pan-os" + ] + }, + { + "@timestamp": "2021-03-24T11:29:49.000-02:00", + "client.address": "10.20.13.217", + "client.ip": "10.20.13.217", + "client.nat.ip": "83.14.113.11", + "event.code": "gateway-config-release", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "e0957c11-93-437a-9e23-9f0c24059898", + "host.ip": "10.20.13.217", + "host.name": "CP935", + "host.os.family": "Windows", + "host.os.full": "Microsoft Windows 10 Pro , 64-bit", + "input.type": "log", + "log.offset": 304, + "log.original": "1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001308", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6919501582016786, + "panw.panos.serial_number": "5J9VN53", + "panw.panos.source.nat.ip": "83.14.113.11", + "panw.panos.stage": "configuration", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "10.20.13.217", + "83.14.113.11" + ], + "related.user": [ + "user" + ], + "service.type": "panw", + "source.address": "10.20.13.217", + "source.geo.name": "BE", + "source.ip": "10.20.13.217", + "source.nat.ip": "83.14.113.11", + "source.user.domain": "domain", + "source.user.name": "user", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "domain", + "user.name": "user" + }, + { + "@timestamp": "2021-04-07T17:41:30.000-02:00", + "client.address": "12.30.0.210", + "client.ip": "12.30.0.210", + "client.nat.ip": "7.2.2.193", + "event.code": "gateway-hip-check", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "523e8b-7efa-4397-a4d5-824dfa4d8a", + "host.ip": "12.30.0.210", + "host.name": "HOST82878", + "input.type": "log", + "log.offset": 640, + "log.original": "1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,\"\",1,,,\"HIP report is not needed\",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "013101305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.description": "HIP report is not needed", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6920071768563516860, + "panw.panos.serial_number": "F1SM2", + "panw.panos.source.nat.ip": "7.2.2.193", + "panw.panos.stage": "host-info", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "12.30.0.210", + "7.2.2.193" + ], + "related.user": [ + "user1" + ], + "service.type": "panw", + "source.address": "12.30.0.210", + "source.as.number": 7018, + "source.as.organization.name": "AT&T Services, Inc.", + "source.geo.city_name": "Greenwood", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 39.5992, + "source.geo.location.lon": -86.13, + "source.geo.region_iso_code": "US-IN", + "source.geo.region_name": "Indiana", + "source.ip": "12.30.0.210", + "source.nat.ip": "7.2.2.193", + "source.user.domain": "domain", + "source.user.name": "user1", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "domain", + "user.name": "user1" + }, + { + "@timestamp": "2021-04-07T17:41:29.000-02:00", + "client.address": "1.40.2.67", + "client.ip": "1.40.2.67", + "client.nat.ip": "7.2.2.171", + "event.code": "gateway-getconfig", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "7d01b5-f538-4fa3-a2a2-83980d1325", + "host.ip": "1.40.2.67", + "host.name": "HOST73486", + "host.os.family": "Windows", + "host.os.full": "Microsoft Windows 10 Pro , 64-bit", + "input.type": "log", + "log.offset": 946, + "log.original": "1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"Config name: , Client region: BE.\",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "013101308", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.description": "Config name: , Client region: BE.", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6944137135219737, + "panw.panos.serial_number": "5C261FNR", + "panw.panos.source.nat.ip": "7.2.2.171", + "panw.panos.stage": "configuration", + "panw.panos.sub_type": "0", + "panw.panos.tunnel_type": "IPSec", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "1.40.2.67", + "7.2.2.171" + ], + "related.user": [ + "pre-logon" + ], + "service.type": "panw", + "source.address": "1.40.2.67", + "source.as.number": 4804, + "source.as.organization.name": "Microplex PTY LTD", + "source.geo.city_name": "Seven Hills", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.777, + "source.geo.location.lon": 150.9373, + "source.geo.name": "BE", + "source.geo.region_iso_code": "AU-NSW", + "source.geo.region_name": "New South Wales", + "source.ip": "1.40.2.67", + "source.nat.ip": "7.2.2.171", + "source.user.name": "pre-logon", + "tags": [ + "forwarded", + "pan-os" + ], + "user.name": "pre-logon" + }, + { + "@timestamp": "2021-04-07T17:41:28.000-02:00", + "client.address": "0.0.0.0", + "client.ip": "0.0.0.0", + "client.nat.ip": "7.2.17.120", + "event.code": "gateway-tunnel-latency", + "event.dataset": "panw.panos", + "event.duration": 0, + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "host.id": "2ba9f01-b83b-4902-a1fb-1748c0365", + "host.ip": "0.0.0.0", + "host.name": "HOSTP92413", + "input.type": "log", + "log.offset": 1307, + "log.original": "1,2021/04/07 17:41:28,0131001309,GLOBALPROTECT,0,2305,2021/04/07 17:41:28,vsys1,gateway-tunnel-latency,tunnel,,,,userlterso,HOSTP92413,7.2.17.120,0.0.0.0,0.0.0.0,0.0.0.0,2ba9f01-b83b-4902-a1fb-1748c0365,GJG98Y2,5.2.4,,\"\",1,,,\"Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms\",success,,0,,0,GlobalProtect_GW,6920071768563516847,0x0", + "network.type": "ipv4", + "observer.hostname": "GlobalProtect_GW", + "observer.product": "PAN-OS", + "observer.serial_number": "0131001309", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.client_ver": "5.2.4", + "panw.panos.description": "Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms", + "panw.panos.error_code": "0", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 6920071768563516847, + "panw.panos.serial_number": "GJG98Y2", + "panw.panos.source.nat.ip": "7.2.17.120", + "panw.panos.stage": "tunnel", + "panw.panos.sub_type": "0", + "panw.panos.type": "GLOBALPROTECT", + "panw.panos.virtual_sys": "vsys1", + "related.hosts": [ + "GlobalProtect_GW" + ], + "related.ip": [ + "0.0.0.0", + "7.2.17.120" + ], + "service.type": "panw", + "source.address": "0.0.0.0", + "source.geo.name": "userlterso", + "source.ip": "0.0.0.0", + "source.nat.ip": "7.2.17.120", + "tags": [ + "forwarded", + "pan-os" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index bf6ff1e9006..f828cf1bbb1 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -17,8 +17,8 @@ "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -39,8 +39,8 @@ "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -61,8 +61,8 @@ "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -83,8 +83,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -105,8 +105,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -127,8 +127,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -149,8 +149,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -171,8 +171,8 @@ "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -193,8 +193,8 @@ "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -215,8 +215,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -237,8 +237,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -259,8 +259,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -281,8 +281,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -303,8 +303,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -325,8 +325,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -347,8 +347,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -369,8 +369,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -391,8 +391,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -413,8 +413,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -435,8 +435,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -457,8 +457,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -479,8 +479,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -501,8 +501,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -523,8 +523,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -545,8 +545,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -567,8 +567,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -589,8 +589,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -611,8 +611,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -633,8 +633,8 @@ "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -655,8 +655,8 @@ "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -677,8 +677,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -699,8 +699,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -721,8 +721,8 @@ "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -749,8 +749,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -762,8 +762,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -802,9 +802,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -822,8 +822,15 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 5388af2b903..78d2f9aa047 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -20,9 +20,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -74,9 +74,9 @@ "lorexx.cn" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -91,8 +91,8 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "lorexx.cn", "url.extension": "exe", @@ -120,9 +120,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -174,9 +174,9 @@ "lsiu.info" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -191,8 +191,8 @@ "source.port": 59313, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "lsiu.info", "url.extension": "php", @@ -221,9 +221,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -275,9 +275,9 @@ "lsiu.info" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -292,8 +292,8 @@ "source.port": 59314, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "lsiu.info", "url.extension": "php", @@ -322,9 +322,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -376,9 +376,9 @@ "lsiu.info" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -393,8 +393,8 @@ "source.port": 59315, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "lsiu.info", "url.extension": "php", @@ -423,9 +423,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -477,9 +477,9 @@ "lsiu.info" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -494,8 +494,8 @@ "source.port": 59316, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "lsiu.info", "url.extension": "php", @@ -524,9 +524,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -578,9 +578,9 @@ "lsiu.info" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -595,8 +595,8 @@ "source.port": 59317, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "lsiu.info", "url.extension": "php", @@ -625,9 +625,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -679,9 +679,9 @@ "liteautobestguide.cn" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -696,8 +696,8 @@ "source.port": 59302, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "liteautobestguide.cn", "url.extension": "php", @@ -725,9 +725,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -779,9 +779,9 @@ "liteautobestguide.cn" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -796,8 +796,8 @@ "source.port": 59301, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "liteautobestguide.cn", "url.extension": "php", @@ -825,9 +825,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -879,9 +879,9 @@ "litetopdetect.cn" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -896,8 +896,8 @@ "source.port": 59303, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "litetopdetect.cn", "url.extension": "php", @@ -925,9 +925,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -979,9 +979,9 @@ "lkmpmlm.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -996,8 +996,8 @@ "source.port": 59304, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "lkmpmlm.com", "url.extension": "php", @@ -1026,9 +1026,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1080,9 +1080,9 @@ "girlteenxxxfreemov.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1097,8 +1097,8 @@ "source.port": 59297, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "girlteenxxxfreemov.com", "url.original": "girlteenxxxfreemov.com/", @@ -1125,9 +1125,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1179,9 +1179,9 @@ "imagesrepository.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1196,8 +1196,8 @@ "source.port": 59299, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "imagesrepository.com", "url.extension": "php", @@ -1225,9 +1225,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1279,9 +1279,9 @@ "hottestfiles.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1296,8 +1296,8 @@ "source.port": 59298, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "hottestfiles.com", "url.extension": "php", @@ -1326,9 +1326,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1379,9 +1379,9 @@ "infodist1.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1396,8 +1396,8 @@ "source.port": 59300, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "infodist1.com", "url.extension": "cgi", @@ -1426,9 +1426,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1480,9 +1480,9 @@ "cls-softwares.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1497,8 +1497,8 @@ "source.port": 59295, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "cls-softwares.com", "url.extension": "php", @@ -1526,9 +1526,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1580,9 +1580,9 @@ "cls-softwares.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1597,8 +1597,8 @@ "source.port": 59291, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "cls-softwares.com", "url.extension": "exe", @@ -1623,9 +1623,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1676,9 +1676,9 @@ "findmorepill.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "78.159.99.224", - "0.0.0.0" + "78.159.99.224" ], "related.user": [ "crusher" @@ -1693,8 +1693,8 @@ "source.port": 59296, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "findmorepill.com", "url.extension": "php", @@ -1723,9 +1723,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1777,9 +1777,9 @@ "allowedwebsurfing.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1794,8 +1794,8 @@ "source.port": 59280, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "allowedwebsurfing.com", "url.original": "allowedwebsurfing.com/", @@ -1822,9 +1822,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1876,9 +1876,9 @@ "antivirus-remote.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1893,8 +1893,8 @@ "source.port": 59281, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "antivirus-remote.com", "url.original": "antivirus-remote.com/", @@ -1921,9 +1921,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1975,9 +1975,9 @@ "bklinkov.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1992,8 +1992,8 @@ "source.port": 59282, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "bklinkov.ru", "url.extension": "cfg", @@ -2021,9 +2021,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2075,9 +2075,9 @@ "blogsexnakedgirlxxx.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2092,8 +2092,8 @@ "source.port": 59290, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "blogsexnakedgirlxxx.com", "url.original": "blogsexnakedgirlxxx.com/", @@ -2120,9 +2120,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2174,9 +2174,9 @@ "bklinkov.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2191,8 +2191,8 @@ "source.port": 59286, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "bklinkov.ru", "url.extension": "exe", @@ -2220,9 +2220,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2271,9 +2271,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2288,8 +2288,8 @@ "source.port": 59275, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2314,9 +2314,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2365,9 +2365,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2382,8 +2382,8 @@ "source.port": 59277, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2408,9 +2408,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2459,9 +2459,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2476,8 +2476,8 @@ "source.port": 59276, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2502,9 +2502,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2553,9 +2553,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2570,8 +2570,8 @@ "source.port": 59278, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2596,9 +2596,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2647,9 +2647,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2664,8 +2664,8 @@ "source.port": 59279, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2690,9 +2690,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2741,9 +2741,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2758,8 +2758,8 @@ "source.port": 59271, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2784,9 +2784,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2835,9 +2835,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2852,8 +2852,8 @@ "source.port": 59269, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2878,9 +2878,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2929,9 +2929,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2946,8 +2946,8 @@ "source.port": 59270, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -2972,9 +2972,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3023,9 +3023,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3040,8 +3040,8 @@ "source.port": 59274, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -3066,9 +3066,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3117,9 +3117,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3134,8 +3134,8 @@ "source.port": 59273, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -3160,9 +3160,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3211,9 +3211,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3228,8 +3228,8 @@ "source.port": 59272, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.original": "-/" }, @@ -3251,9 +3251,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3304,9 +3304,9 @@ "wantfinest.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "69.43.161.167", - "0.0.0.0" + "69.43.161.167" ], "related.user": [ "crusher" @@ -3321,8 +3321,8 @@ "source.port": 59261, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "wantfinest.com", "url.extension": "cgi", @@ -3348,9 +3348,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3401,9 +3401,9 @@ "sameshitasiteverwas.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "202.31.187.154", - "0.0.0.0" + "202.31.187.154" ], "related.user": [ "crusher" @@ -3418,8 +3418,8 @@ "source.port": 59248, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "sameshitasiteverwas.com", "url.extension": "cgi", @@ -3445,9 +3445,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3498,9 +3498,9 @@ "svarkon.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "89.111.176.67", - "0.0.0.0" + "89.111.176.67" ], "related.user": [ "crusher" @@ -3515,8 +3515,8 @@ "source.port": 59251, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "svarkon.ru", "url.extension": "exe", @@ -3544,9 +3544,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3597,9 +3597,9 @@ "onlinescanxpp.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3614,8 +3614,8 @@ "source.port": 59244, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "onlinescanxpp.com", "url.extension": "php", @@ -3641,9 +3641,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3694,9 +3694,9 @@ "nolagtime.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "208.73.210.29", - "0.0.0.0" + "208.73.210.29" ], "related.user": [ "crusher" @@ -3711,8 +3711,8 @@ "source.port": 59237, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "nolagtime.com", "url.original": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", @@ -3737,9 +3737,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3790,9 +3790,9 @@ "nolagtime.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "208.73.210.29", - "0.0.0.0" + "208.73.210.29" ], "related.user": [ "crusher" @@ -3807,8 +3807,8 @@ "source.port": 59238, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "nolagtime.com", "url.extension": "txt", @@ -3836,9 +3836,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3889,9 +3889,9 @@ "karavan.us" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3906,8 +3906,8 @@ "source.port": 59010, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "karavan.us", "url.extension": "php", @@ -3932,9 +3932,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3985,9 +3985,9 @@ "findnolimits.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "208.73.210.29", - "0.0.0.0" + "208.73.210.29" ], "related.user": [ "crusher" @@ -4002,8 +4002,8 @@ "source.port": 58969, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "findnolimits.com", "url.extension": "php", @@ -4029,9 +4029,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4082,9 +4082,9 @@ "bizoplata.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "89.108.64.156", - "0.0.0.0" + "89.108.64.156" ], "related.user": [ "crusher" @@ -4099,8 +4099,8 @@ "source.port": 58941, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "bizoplata.ru", "url.extension": "html", @@ -4125,9 +4125,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4178,9 +4178,9 @@ "bizoplata.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "89.108.64.156", - "0.0.0.0" + "89.108.64.156" ], "related.user": [ "crusher" @@ -4195,8 +4195,8 @@ "source.port": 58942, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "bizoplata.ru", "url.extension": "html", @@ -4214,9 +4214,9 @@ "destination.user.name": "crusher", "event.action": "spyware_detected", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4263,9 +4263,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "204.232.231.46", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -4290,8 +4290,8 @@ "source.ip": "204.232.231.46", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4315,9 +4315,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4368,9 +4368,9 @@ "www.15min.it" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "216.8.179.25", - "0.0.0.0" + "216.8.179.25" ], "related.user": [ "crusher" @@ -4385,8 +4385,8 @@ "source.port": 58856, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "www.15min.it", "url.original": "www.15min.it/", @@ -4410,9 +4410,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4463,9 +4463,9 @@ "tubemov.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "69.43.161.154", - "0.0.0.0" + "69.43.161.154" ], "related.user": [ "crusher" @@ -4480,8 +4480,8 @@ "source.port": 58847, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "tubemov.com", "url.original": "tubemov.com/", @@ -4505,9 +4505,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4558,9 +4558,9 @@ "pagesinxt.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "208.91.196.252", - "0.0.0.0" + "208.91.196.252" ], "related.user": [ "crusher" @@ -4575,8 +4575,8 @@ "source.port": 58841, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "pagesinxt.com", "url.original": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js", @@ -4601,9 +4601,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4654,9 +4654,9 @@ "movfree.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "208.73.210.29", - "0.0.0.0" + "208.73.210.29" ], "related.user": [ "crusher" @@ -4671,8 +4671,8 @@ "source.port": 58795, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "movfree.com", "url.original": "movfree.com/", @@ -4699,9 +4699,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4752,9 +4752,9 @@ "gometascan.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -4769,8 +4769,8 @@ "source.port": 58753, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "gometascan.com", "url.original": "gometascan.com/", @@ -4797,9 +4797,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4850,9 +4850,9 @@ "antivirus-powerful-scannerv2.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -4867,8 +4867,8 @@ "source.port": 58708, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "antivirus-powerful-scannerv2.com", "url.extension": "exe", @@ -4896,9 +4896,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4949,9 +4949,9 @@ "antivirus-powerful-scannerv2.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -4966,8 +4966,8 @@ "source.port": 58707, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "antivirus-powerful-scannerv2.com", "url.original": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N", @@ -4995,9 +4995,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5048,9 +5048,9 @@ "basdzsdas.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -5065,8 +5065,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "basdzsdas.com", "url.extension": "bin", @@ -5094,9 +5094,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5147,9 +5147,9 @@ "basdzsdas.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -5164,8 +5164,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "basdzsdas.com", "url.extension": "bin", @@ -5183,9 +5183,9 @@ "destination.user.name": "crusher", "event.action": "file_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5235,9 +5235,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "173.236.179.57", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -5262,8 +5262,8 @@ "source.ip": "173.236.179.57", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5287,9 +5287,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5340,9 +5340,9 @@ "basdzsdas.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -5357,8 +5357,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "basdzsdas.com", "url.extension": "bin", @@ -5376,9 +5376,9 @@ "destination.user.name": "crusher", "event.action": "file_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5428,9 +5428,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "91.209.163.202", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "91.209.163.202" ], "related.user": [ "crusher" @@ -5455,8 +5455,8 @@ "source.ip": "91.209.163.202", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5470,9 +5470,9 @@ "destination.user.name": "crusher", "event.action": "file_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5522,9 +5522,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "122.226.169.183", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -5548,8 +5548,8 @@ "source.ip": "122.226.169.183", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5573,9 +5573,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5626,9 +5626,9 @@ "softsellfast.com" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -5643,8 +5643,8 @@ "source.port": 63007, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "softsellfast.com", "url.extension": "bin", @@ -5662,9 +5662,9 @@ "destination.user.name": "crusher", "event.action": "file_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5714,9 +5714,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "109.201.131.15", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -5738,8 +5738,8 @@ "source.ip": "109.201.131.15", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5753,9 +5753,9 @@ "destination.user.name": "crusher", "event.action": "file_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5805,9 +5805,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "91.209.163.202", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "91.209.163.202" ], "related.user": [ "crusher" @@ -5832,8 +5832,8 @@ "source.ip": "91.209.163.202", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5854,9 +5854,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5907,9 +5907,9 @@ "boialex.narod.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "213.180.199.61", - "0.0.0.0" + "213.180.199.61" ], "related.user": [ "crusher" @@ -5924,8 +5924,8 @@ "source.port": 59709, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "boialex.narod.ru", "url.extension": "txt", @@ -5950,9 +5950,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6003,9 +6003,9 @@ "edw-melon.narod.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "213.180.199.61", - "0.0.0.0" + "213.180.199.61" ], "related.user": [ "crusher" @@ -6020,8 +6020,8 @@ "source.port": 59721, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "edw-melon.narod.ru", "url.extension": "txt", @@ -6046,9 +6046,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6099,9 +6099,9 @@ "maximtushin.narod.ru" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "213.180.199.61", - "0.0.0.0" + "213.180.199.61" ], "related.user": [ "crusher" @@ -6116,8 +6116,8 @@ "source.port": 59752, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "maximtushin.narod.ru", "url.extension": "txt", @@ -6135,9 +6135,9 @@ "destination.user.name": "crusher", "event.action": "file_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6187,9 +6187,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "173.236.179.57", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -6214,8 +6214,8 @@ "source.ip": "173.236.179.57", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6239,9 +6239,9 @@ "destination.port": 80, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6292,9 +6292,9 @@ "marketingsoluchion.biz" ], "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -6309,8 +6309,8 @@ "source.port": 63183, "source.user.name": "crusher", "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "marketingsoluchion.biz", "url.extension": "bin", @@ -6338,9 +6338,9 @@ "destination.port": 80, "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6390,9 +6390,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.6", - "207.46.140.46", - "0.0.0.0" + "207.46.140.46" ], "related.user": [ "jordy" @@ -6407,9 +6407,16 @@ "source.port": 1047, "source.user.name": "jordy", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "jordy" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-09T08:18:29.000-02:00", @@ -6422,9 +6429,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6474,9 +6481,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "65.54.161.34", + "0.0.0.0", "192.168.0.6", - "0.0.0.0" + "65.54.161.34" ], "related.user": [ "jordy" @@ -6501,8 +6508,8 @@ "source.ip": "65.54.161.34", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6516,9 +6523,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6568,9 +6575,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "65.55.5.231", + "0.0.0.0", "192.168.0.6", - "0.0.0.0" + "65.55.5.231" ], "related.user": [ "jordy" @@ -6595,8 +6602,8 @@ "source.ip": "65.55.5.231", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6620,9 +6627,9 @@ "destination.port": 80, "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6672,9 +6679,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.6", - "65.54.71.11", - "0.0.0.0" + "65.54.71.11" ], "related.user": [ "jordy" @@ -6689,9 +6696,16 @@ "source.port": 1048, "source.user.name": "jordy", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "jordy" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-09T08:18:37.000-02:00", @@ -6704,9 +6718,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6755,9 +6769,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.239.17", + "0.0.0.0", "192.168.0.6", - "0.0.0.0" + "74.125.239.17" ], "related.user": [ "jordy" @@ -6779,8 +6793,8 @@ "source.ip": "74.125.239.17", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6801,9 +6815,9 @@ "destination.port": 80, "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6853,9 +6867,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "208.85.40.48", - "0.0.0.0" + "208.85.40.48" ], "related.user": [ "picard" @@ -6870,9 +6884,16 @@ "source.port": 57502, "source.user.name": "picard", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "picard" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-09T08:58:18.000-02:00", @@ -6885,9 +6906,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6936,9 +6957,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.198", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.198" ], "related.user": [ "picard" @@ -6960,8 +6981,8 @@ "source.ip": "74.125.224.198", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6975,9 +6996,9 @@ "destination.user.name": "jordy", "event.action": "file_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7027,9 +7048,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "188.190.124.75", - "192.168.0.6", - "0.0.0.0" + "192.168.0.6" ], "related.user": [ "jordy" @@ -7054,8 +7075,8 @@ "source.ip": "188.190.124.75", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7069,9 +7090,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7120,9 +7141,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "picard" @@ -7144,8 +7165,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7159,9 +7180,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7210,9 +7231,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.239.3", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.239.3" ], "related.user": [ "picard" @@ -7234,8 +7255,8 @@ "source.ip": "74.125.239.3", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7249,9 +7270,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7300,9 +7321,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.239.3", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.239.3" ], "related.user": [ "picard" @@ -7324,8 +7345,8 @@ "source.ip": "74.125.239.3", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7339,9 +7360,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7390,9 +7411,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "picard" @@ -7414,8 +7435,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7436,9 +7457,9 @@ "destination.port": 80, "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7488,9 +7509,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "74.125.239.6", - "0.0.0.0" + "74.125.239.6" ], "related.user": [ "picard" @@ -7505,9 +7526,16 @@ "source.port": 52366, "source.user.name": "picard", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "picard" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-09T07:25:04.000-02:00", @@ -7520,9 +7548,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7571,9 +7599,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.193", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.193" ], "related.user": [ "picard" @@ -7595,8 +7623,8 @@ "source.ip": "74.125.224.193", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7610,9 +7638,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7662,9 +7690,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.239.20", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.239.20" ], "related.user": [ "picard" @@ -7686,8 +7714,8 @@ "source.ip": "74.125.239.20", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7701,9 +7729,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7752,9 +7780,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "208.80.154.225", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "208.80.154.225" ], "related.user": [ "picard" @@ -7776,8 +7804,8 @@ "source.ip": "208.80.154.225", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7791,9 +7819,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7843,9 +7871,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "208.80.154.234", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "208.80.154.234" ], "related.user": [ "picard" @@ -7867,8 +7895,8 @@ "source.ip": "208.80.154.234", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7882,9 +7910,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7934,9 +7962,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "65.54.75.25", + "0.0.0.0", "192.168.0.6", - "0.0.0.0" + "65.54.75.25" ], "related.user": [ "jordy" @@ -7961,8 +7989,8 @@ "source.ip": "65.54.75.25", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7976,9 +8004,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8027,9 +8055,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.206", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.206" ], "related.user": [ "jordy" @@ -8051,8 +8079,8 @@ "source.ip": "74.125.224.206", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8066,9 +8094,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8117,9 +8145,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.195", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.195" ], "related.user": [ "jordy" @@ -8141,8 +8169,8 @@ "source.ip": "74.125.224.195", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8156,9 +8184,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8208,9 +8236,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "207.178.96.34", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "207.178.96.34" ], "related.user": [ "jordy" @@ -8235,8 +8263,8 @@ "source.ip": "207.178.96.34", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8250,9 +8278,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8301,9 +8329,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.195", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.195" ], "related.user": [ "picard" @@ -8325,8 +8353,8 @@ "source.ip": "74.125.224.195", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8340,9 +8368,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8391,9 +8419,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.239.20", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.239.20" ], "related.user": [ "picard" @@ -8415,8 +8443,8 @@ "source.ip": "74.125.239.20", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8430,9 +8458,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8482,9 +8510,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "66.152.109.24", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "66.152.109.24" ], "related.user": [ "picard" @@ -8509,8 +8537,8 @@ "source.ip": "66.152.109.24", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8524,9 +8552,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8575,9 +8603,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "picard" @@ -8599,8 +8627,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8621,9 +8649,9 @@ "destination.port": 80, "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8673,9 +8701,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "74.125.224.201", - "0.0.0.0" + "74.125.224.201" ], "related.user": [ "picard" @@ -8690,9 +8718,16 @@ "source.port": 49681, "source.user.name": "picard", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "picard" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-09T06:54:35.000-02:00", @@ -8705,9 +8740,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8756,9 +8791,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "picard" @@ -8780,8 +8815,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8795,9 +8830,9 @@ "destination.user.name": "picard", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8846,9 +8881,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "picard" @@ -8870,8 +8905,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8892,9 +8927,9 @@ "destination.port": 80, "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8944,9 +8979,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "208.85.40.48", - "0.0.0.0" + "208.85.40.48" ], "related.user": [ "jordy" @@ -8961,9 +8996,16 @@ "source.port": 59781, "source.user.name": "jordy", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "jordy" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-09T03:45:45.000-02:00", @@ -8976,9 +9018,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -9027,9 +9069,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.201", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.201" ], "related.user": [ "jordy" @@ -9051,8 +9093,8 @@ "source.ip": "74.125.224.201", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9066,9 +9108,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -9117,9 +9159,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.201", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.201" ], "related.user": [ "jordy" @@ -9141,8 +9183,8 @@ "source.ip": "74.125.224.201", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9156,9 +9198,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -9207,9 +9249,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "jordy" @@ -9231,8 +9273,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9246,9 +9288,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -9297,9 +9339,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "jordy" @@ -9321,8 +9363,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9336,9 +9378,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -9388,9 +9430,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.198", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.198" ], "related.user": [ "jordy" @@ -9412,8 +9454,8 @@ "source.ip": "74.125.224.198", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9427,9 +9469,9 @@ "destination.user.name": "jordy", "event.action": "data_match", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -9478,9 +9520,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "74.125.224.200", + "0.0.0.0", "192.168.0.2", - "0.0.0.0" + "74.125.224.200" ], "related.user": [ "jordy" @@ -9502,8 +9544,8 @@ "source.ip": "74.125.224.200", "source.port": 80, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index c90c76236b3..45b80fab7df 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -23,8 +23,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -36,8 +36,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -76,9 +76,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -96,9 +96,16 @@ "source.port": 59324, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -121,8 +128,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -134,8 +141,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -174,9 +181,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -194,9 +201,16 @@ "source.port": 54448, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -219,8 +233,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -232,8 +246,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -272,9 +286,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -292,9 +306,16 @@ "source.port": 53121, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -320,8 +341,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -333,8 +354,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -373,9 +394,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -393,9 +414,16 @@ "source.port": 59323, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -421,8 +449,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -434,8 +462,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -474,9 +502,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -494,9 +522,16 @@ "source.port": 59322, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -519,8 +554,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -532,8 +567,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -572,9 +607,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -592,9 +627,16 @@ "source.port": 55766, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -617,8 +659,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -630,8 +672,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -670,9 +712,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -690,9 +732,16 @@ "source.port": 55072, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -718,8 +767,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -731,8 +780,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -771,9 +820,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -791,9 +840,16 @@ "source.port": 59207, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -819,8 +875,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -832,8 +888,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -872,9 +928,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -892,9 +948,16 @@ "source.port": 59209, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:58.000-02:00", @@ -920,8 +983,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -933,8 +996,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -973,9 +1036,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -993,9 +1056,16 @@ "source.port": 59208, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1021,8 +1091,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1034,8 +1104,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1074,9 +1144,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1094,9 +1164,16 @@ "source.port": 59318, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1122,8 +1199,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1135,8 +1212,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1175,9 +1252,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1195,9 +1272,16 @@ "source.port": 59317, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1223,8 +1307,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1236,8 +1320,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1276,9 +1360,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1296,9 +1380,16 @@ "source.port": 59316, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1324,8 +1415,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1337,8 +1428,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1377,9 +1468,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1397,9 +1488,16 @@ "source.port": 59315, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1425,8 +1523,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1438,8 +1536,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1478,9 +1576,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1498,9 +1596,16 @@ "source.port": 59206, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:57.000-02:00", @@ -1526,8 +1631,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -1539,8 +1644,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1579,9 +1684,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1599,9 +1704,16 @@ "source.port": 59205, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -1627,8 +1739,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 512000000000, @@ -1640,8 +1752,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1680,9 +1792,9 @@ "panw.panos.url.category": "malware-sites", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1700,9 +1812,16 @@ "source.port": 56858, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -1728,8 +1847,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1741,8 +1860,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1781,9 +1900,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1801,9 +1920,16 @@ "source.port": 59314, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -1829,8 +1955,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1842,8 +1968,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1882,9 +2008,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -1902,9 +2028,16 @@ "source.port": 59313, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -1927,8 +2060,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1940,8 +2073,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1980,9 +2113,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -2000,9 +2133,16 @@ "source.port": 52139, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2025,8 +2165,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2038,8 +2178,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2078,9 +2218,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -2098,9 +2238,16 @@ "source.port": 60592, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2126,8 +2273,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2139,8 +2286,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2179,9 +2326,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2199,9 +2346,16 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2224,8 +2378,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2237,8 +2391,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2277,9 +2431,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -2297,9 +2451,16 @@ "source.port": 57322, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2325,8 +2486,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2338,8 +2499,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2378,9 +2539,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2398,9 +2559,16 @@ "source.port": 59204, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:56.000-02:00", @@ -2426,8 +2594,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2439,8 +2607,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2479,9 +2647,9 @@ "panw.panos.url.category": "private-ip-addresses", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2499,9 +2667,16 @@ "source.port": 59203, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2527,8 +2702,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2540,8 +2715,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2580,9 +2755,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2600,9 +2775,16 @@ "source.port": 59305, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2625,8 +2807,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2638,8 +2820,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2678,9 +2860,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -2698,9 +2880,16 @@ "source.port": 64005, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2723,8 +2912,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2736,8 +2925,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2776,9 +2965,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -2796,9 +2985,16 @@ "source.port": 58768, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2824,8 +3020,8 @@ "destination.port": 13069, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 125000000000, @@ -2837,8 +3033,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2877,9 +3073,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "98.149.55.63", - "0.0.0.0" + "98.149.55.63" ], "related.user": [ "crusher" @@ -2897,9 +3093,16 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -2925,8 +3128,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2938,8 +3141,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2978,9 +3181,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -2998,9 +3201,16 @@ "source.port": 59304, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -3023,8 +3233,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3036,8 +3246,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3076,9 +3286,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -3096,9 +3306,16 @@ "source.port": 54533, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:55.000-02:00", @@ -3124,8 +3341,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -3137,8 +3354,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3177,9 +3394,9 @@ "panw.panos.url.category": "search-engines", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "212.48.10.58", - "0.0.0.0" + "212.48.10.58" ], "related.user": [ "crusher" @@ -3197,9 +3414,16 @@ "source.port": 59201, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3225,8 +3449,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3238,8 +3462,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3278,9 +3502,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3298,9 +3522,16 @@ "source.port": 59303, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3323,8 +3554,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3336,8 +3567,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3376,9 +3607,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -3396,9 +3627,16 @@ "source.port": 50876, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3421,8 +3659,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3434,8 +3672,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3474,9 +3712,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -3494,9 +3732,16 @@ "source.port": 57657, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3522,8 +3767,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3535,8 +3780,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3575,9 +3820,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3595,9 +3840,16 @@ "source.port": 59302, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3623,8 +3875,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3636,8 +3888,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3676,9 +3928,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -3696,9 +3948,16 @@ "source.port": 59301, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3721,8 +3980,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3734,8 +3993,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3774,9 +4033,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -3794,9 +4053,16 @@ "source.port": 64844, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3819,8 +4085,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3832,8 +4098,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3872,9 +4138,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -3892,9 +4158,16 @@ "source.port": 52257, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -3916,8 +4189,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3929,8 +4202,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3968,9 +4241,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.100", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "rule1", "server.bytes": 111, @@ -3984,8 +4257,8 @@ "source.packets": 1, "source.port": 38796, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4009,8 +4282,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -4022,8 +4295,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4062,9 +4335,9 @@ "panw.panos.url.category": "entertainment-and-arts", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "62.211.68.12", - "0.0.0.0" + "62.211.68.12" ], "related.user": [ "crusher" @@ -4082,9 +4355,16 @@ "source.port": 59200, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -4109,8 +4389,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4122,8 +4402,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4161,9 +4441,9 @@ "panw.panos.url.category": "computer-and-internet-security", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.100", - "50.19.102.116", - "0.0.0.0" + "50.19.102.116" ], "rule.name": "rule1", "server.bytes": 5013, @@ -4177,8 +4457,8 @@ "source.packets": 10, "source.port": 48412, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4205,8 +4485,8 @@ "destination.port": 40026, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4218,8 +4498,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4258,9 +4538,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "65.55.223.19", - "0.0.0.0" + "65.55.223.19" ], "related.user": [ "crusher" @@ -4278,9 +4558,16 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -4306,8 +4593,8 @@ "destination.port": 40029, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4319,8 +4606,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4359,9 +4646,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "65.55.223.24", - "0.0.0.0" + "65.55.223.24" ], "related.user": [ "crusher" @@ -4379,9 +4666,16 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:54.000-02:00", @@ -4403,8 +4697,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4416,8 +4710,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4455,9 +4749,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.100", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "rule1", "server.bytes": 141, @@ -4471,8 +4765,8 @@ "source.packets": 1, "source.port": 52189, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4499,8 +4793,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4512,8 +4806,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4552,9 +4846,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -4572,9 +4866,16 @@ "source.port": 59300, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4597,8 +4898,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4610,8 +4911,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4650,9 +4951,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -4670,9 +4971,16 @@ "source.port": 54414, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4698,8 +5006,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4711,8 +5019,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4751,9 +5059,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -4771,9 +5079,16 @@ "source.port": 59299, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4796,8 +5111,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4809,8 +5124,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4849,9 +5164,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -4869,9 +5184,16 @@ "source.port": 60399, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4894,8 +5216,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -4907,8 +5229,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4947,9 +5269,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -4967,9 +5289,16 @@ "source.port": 59626, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -4992,8 +5321,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5005,8 +5334,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5045,9 +5374,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -5065,9 +5394,16 @@ "source.port": 51542, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5090,8 +5426,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5103,8 +5439,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5143,9 +5479,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -5163,9 +5499,16 @@ "source.port": 54182, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5188,8 +5531,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5201,8 +5544,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5241,9 +5584,9 @@ "panw.panos.url.category": "business-and-economy", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "62.211.68.12", - "0.0.0.0" + "62.211.68.12" ], "related.user": [ "crusher" @@ -5261,9 +5604,16 @@ "source.port": 59199, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5289,8 +5639,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 2000000000, @@ -5302,8 +5652,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5342,9 +5692,9 @@ "panw.panos.url.category": "search-engines", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "212.48.10.58", - "0.0.0.0" + "212.48.10.58" ], "related.user": [ "crusher" @@ -5362,9 +5712,16 @@ "source.port": 59198, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5390,8 +5747,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 512000000000, @@ -5403,8 +5760,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5443,9 +5800,9 @@ "panw.panos.url.category": "malware-sites", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -5463,9 +5820,16 @@ "source.port": 56856, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:53.000-02:00", @@ -5488,8 +5852,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5501,8 +5865,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -5541,9 +5905,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -5561,9 +5925,16 @@ "source.port": 52489, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5589,8 +5960,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5602,8 +5973,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -5642,9 +6013,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -5662,9 +6033,16 @@ "source.port": 59298, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5687,8 +6065,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5700,8 +6078,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -5740,9 +6118,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -5760,9 +6138,16 @@ "source.port": 60185, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5785,8 +6170,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5798,8 +6183,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -5838,9 +6223,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -5858,9 +6243,16 @@ "source.port": 51817, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5886,8 +6278,8 @@ "destination.port": 40043, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5899,8 +6291,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -5939,9 +6331,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "65.55.223.31", - "0.0.0.0" + "65.55.223.31" ], "related.user": [ "crusher" @@ -5959,9 +6351,16 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -5987,8 +6386,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6000,8 +6399,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6040,9 +6439,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -6060,9 +6459,16 @@ "source.port": 59297, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6085,8 +6491,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6098,8 +6504,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6138,9 +6544,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -6158,9 +6564,16 @@ "source.port": 52537, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6183,8 +6596,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6196,8 +6609,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6236,9 +6649,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -6256,9 +6669,16 @@ "source.port": 53155, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6281,8 +6701,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -6294,8 +6714,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6334,9 +6754,9 @@ "panw.panos.url.category": "entertainment-and-arts", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "62.211.68.12", - "0.0.0.0" + "62.211.68.12" ], "related.user": [ "crusher" @@ -6354,9 +6774,16 @@ "source.port": 59197, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:52.000-02:00", @@ -6379,8 +6806,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6392,8 +6819,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6432,9 +6859,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -6452,9 +6879,16 @@ "source.port": 56995, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6477,8 +6911,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6490,8 +6924,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6530,9 +6964,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -6550,9 +6984,16 @@ "source.port": 59069, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6575,8 +7016,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6588,8 +7029,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6628,9 +7069,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -6648,9 +7089,16 @@ "source.port": 55697, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6676,8 +7124,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6689,8 +7137,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6729,9 +7177,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -6749,9 +7197,16 @@ "source.port": 59295, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:51.000-02:00", @@ -6774,8 +7229,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -6787,8 +7242,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6827,9 +7282,9 @@ "panw.panos.url.category": "business-and-economy", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "62.211.68.12", - "0.0.0.0" + "62.211.68.12" ], "related.user": [ "crusher" @@ -6847,9 +7302,16 @@ "source.port": 59196, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -6875,8 +7337,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6888,8 +7350,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6928,9 +7390,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -6948,9 +7410,16 @@ "source.port": 59291, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -6973,8 +7442,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6986,8 +7455,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7026,9 +7495,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -7046,9 +7515,16 @@ "source.port": 52858, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7071,8 +7547,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7084,8 +7560,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7124,9 +7600,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -7144,9 +7620,16 @@ "source.port": 61383, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7172,8 +7655,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7185,8 +7668,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7225,9 +7708,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -7245,9 +7728,16 @@ "source.port": 59290, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7270,8 +7760,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7283,8 +7773,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7323,9 +7813,9 @@ "panw.panos.url.category": "not-resolved", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "8.5.1.1", - "0.0.0.0" + "8.5.1.1" ], "related.user": [ "crusher" @@ -7343,9 +7833,16 @@ "source.port": 59195, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7368,8 +7865,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7381,8 +7878,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7421,9 +7918,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -7441,9 +7938,16 @@ "source.port": 49812, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7466,8 +7970,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7479,8 +7983,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7519,9 +8023,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -7539,9 +8043,16 @@ "source.port": 50185, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7567,8 +8078,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7580,8 +8091,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7620,9 +8131,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -7640,9 +8151,16 @@ "source.port": 59286, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7658,8 +8176,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7671,8 +8189,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7711,9 +8229,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "192.168.0.2", + "0.0.0.0", "192.168.0.1", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -7731,9 +8249,16 @@ "source.port": 52531, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7759,8 +8284,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 3000000000, @@ -7772,8 +8297,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7812,9 +8337,9 @@ "panw.panos.url.category": "search-engines", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "212.48.10.58", - "0.0.0.0" + "212.48.10.58" ], "related.user": [ "crusher" @@ -7832,9 +8357,16 @@ "source.port": 59194, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7860,8 +8392,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 7000000000, @@ -7873,8 +8405,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7913,9 +8445,9 @@ "panw.panos.url.category": "search-engines", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "212.48.10.58", - "0.0.0.0" + "212.48.10.58" ], "related.user": [ "crusher" @@ -7933,9 +8465,16 @@ "source.port": 59192, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -7951,8 +8490,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7964,8 +8503,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8004,9 +8543,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "192.168.0.2", + "0.0.0.0", "192.168.0.1", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -8024,9 +8563,16 @@ "source.port": 56463, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:50.000-02:00", @@ -8042,8 +8588,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8055,8 +8601,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8095,9 +8641,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "192.168.0.2", + "0.0.0.0", "192.168.0.1", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -8115,9 +8661,16 @@ "source.port": 55849, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8143,8 +8696,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8156,8 +8709,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8196,9 +8749,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -8216,9 +8769,16 @@ "source.port": 59282, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8241,8 +8801,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8254,8 +8814,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8294,9 +8854,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -8314,9 +8874,16 @@ "source.port": 57846, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8339,8 +8906,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8352,8 +8919,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8392,9 +8959,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -8412,9 +8979,16 @@ "source.port": 51008, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8440,8 +9014,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8453,8 +9027,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8493,9 +9067,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -8513,9 +9087,16 @@ "source.port": 59281, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8538,8 +9119,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8551,8 +9132,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8591,9 +9172,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -8611,9 +9192,16 @@ "source.port": 55252, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8629,8 +9217,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -8642,8 +9230,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8682,9 +9270,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "192.168.0.2", + "0.0.0.0", "192.168.0.1", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -8702,9 +9290,16 @@ "source.port": 56995, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:49.000-02:00", @@ -8727,8 +9322,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8740,8 +9335,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8780,9 +9375,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -8800,9 +9395,16 @@ "source.port": 60989, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -8828,8 +9430,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8841,8 +9443,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8881,9 +9483,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -8901,9 +9503,16 @@ "source.port": 59280, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -8926,8 +9535,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8939,8 +9548,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8979,9 +9588,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -8999,9 +9608,16 @@ "source.port": 53766, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -9024,8 +9640,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9037,8 +9653,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9077,9 +9693,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "205.171.2.25", - "0.0.0.0" + "205.171.2.25" ], "related.user": [ "crusher" @@ -9097,9 +9713,16 @@ "source.port": 56032, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -9122,8 +9745,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -9135,8 +9758,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9175,9 +9798,9 @@ "panw.panos.url.category": "entertainment-and-arts", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "62.211.68.12", - "0.0.0.0" + "62.211.68.12" ], "related.user": [ "crusher" @@ -9195,9 +9818,16 @@ "source.port": 59193, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:48.000-02:00", @@ -9223,8 +9853,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9236,8 +9866,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9276,9 +9906,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -9296,9 +9926,16 @@ "source.port": 59279, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9324,8 +9961,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9337,8 +9974,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9377,9 +10014,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -9397,9 +10034,16 @@ "source.port": 59278, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9425,8 +10069,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9438,8 +10082,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9478,9 +10122,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -9498,9 +10142,16 @@ "source.port": 59277, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9516,8 +10167,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -9529,8 +10180,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9569,9 +10220,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ - "192.168.0.2", + "0.0.0.0", "192.168.0.1", - "0.0.0.0" + "192.168.0.2" ], "related.user": [ "crusher" @@ -9589,9 +10240,16 @@ "source.port": 60026, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9617,8 +10275,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9630,8 +10288,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9670,9 +10328,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -9690,9 +10348,16 @@ "source.port": 59276, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:47.000-02:00", @@ -9718,8 +10383,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9731,8 +10396,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9771,9 +10436,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -9791,9 +10456,16 @@ "source.port": 59275, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) }, { "@timestamp": "2012-04-10T04:39:46.000-02:00", @@ -9819,8 +10491,8 @@ "destination.port": 80, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9832,8 +10504,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9872,9 +10544,9 @@ "panw.panos.url.category": "any", "panw.panos.virtual_sys": "vsys1", "related.ip": [ + "0.0.0.0", "192.168.0.2", - "204.232.231.46", - "0.0.0.0" + "204.232.231.46" ], "related.user": [ "crusher" @@ -9892,8 +10564,15 @@ "source.port": 59274, "source.user.name": "crusher", "tags": [ +<<<<<<< HEAD "pan-os", "forwarded" ] +======= + "forwarded", + "pan-os" + ], + "user.name": "crusher" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json index 5fa261c1203..fba55818a8e 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json @@ -16,8 +16,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -29,8 +29,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -78,8 +78,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -97,8 +97,8 @@ "source.packets": 5, "source.port": 32801, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -118,8 +118,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -131,8 +131,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -180,8 +180,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 3347, @@ -199,8 +199,8 @@ "source.packets": 8, "source.port": 37836, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -227,8 +227,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -240,8 +240,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -251,8 +251,8 @@ "network.application": "dns", "network.bytes": 98, "network.community_id": [ - "1:zaMaHKHgtAI0P0GFKSvTKuRvtCk=", - "1:iZ9KNh4RcbWK6J5ekLnBGXz74BU=" + "1:iZ9KNh4RcbWK6J5ekLnBGXz74BU=", + "1:zaMaHKHgtAI0P0GFKSvTKuRvtCk=" ], "network.direction": "unknown", "network.packets": 1, @@ -289,9 +289,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -309,8 +309,8 @@ "source.packets": 1, "source.port": 33101, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -330,8 +330,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -343,8 +343,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -354,8 +354,8 @@ "network.application": "ssl", "network.bytes": 575, "network.community_id": [ - "1:PNiHVpZIK7v0ydM8B00Ch41WMzY=", - "1:HH1IKjYJ3NGs13+gdS2heABbiFA=" + "1:HH1IKjYJ3NGs13+gdS2heABbiFA=", + "1:PNiHVpZIK7v0ydM8B00Ch41WMzY=" ], "network.direction": "unknown", "network.packets": 4, @@ -392,8 +392,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -411,8 +411,8 @@ "source.packets": 3, "source.port": 38164, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -439,8 +439,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -452,8 +452,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -501,9 +501,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 129, @@ -521,8 +521,8 @@ "source.packets": 1, "source.port": 59890, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -549,8 +549,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -562,8 +562,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -611,9 +611,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -631,8 +631,8 @@ "source.packets": 1, "source.port": 34516, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -652,8 +652,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -665,8 +665,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -676,8 +676,8 @@ "network.application": "ssl", "network.bytes": 575, "network.community_id": [ - "1:kVvls8jOBNY1OPztYrPGpMuojHU=", - "1:V9WZuhDxhC/vEvZJGKfb6FMC8UI=" + "1:V9WZuhDxhC/vEvZJGKfb6FMC8UI=", + "1:kVvls8jOBNY1OPztYrPGpMuojHU=" ], "network.direction": "unknown", "network.packets": 4, @@ -714,8 +714,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -733,8 +733,8 @@ "source.packets": 3, "source.port": 42905, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -761,8 +761,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -774,8 +774,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -785,8 +785,8 @@ "network.application": "dns", "network.bytes": 228, "network.community_id": [ - "1:KxK8ZPfaaBYRsG1EXYQq/SwloKk=", - "1:/QKiNYN5LRWf/GXzKOZ5wzrtpzs=" + "1:/QKiNYN5LRWf/GXzKOZ5wzrtpzs=", + "1:KxK8ZPfaaBYRsG1EXYQq/SwloKk=" ], "network.direction": "unknown", "network.packets": 2, @@ -823,9 +823,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 130, @@ -843,8 +843,8 @@ "source.packets": 1, "source.port": 51150, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -864,8 +864,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -877,8 +877,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -888,8 +888,8 @@ "network.application": "ssl", "network.bytes": 104899, "network.community_id": [ - "1:zBPdo2cbhu/ikZJVxuft5VV4gXc=", - "1:EWt4TLjkII9rdzFzQrCecjyvdNs=" + "1:EWt4TLjkII9rdzFzQrCecjyvdNs=", + "1:zBPdo2cbhu/ikZJVxuft5VV4gXc=" ], "network.direction": "unknown", "network.packets": 90, @@ -926,8 +926,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 102960, @@ -945,8 +945,8 @@ "source.packets": 16, "source.port": 49731, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -962,8 +962,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -975,8 +975,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1019,9 +1019,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "192.168.1.2", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Umbrella VA", "server.bytes": 0, @@ -1035,8 +1035,8 @@ "source.packets": 1, "source.port": 54494, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1056,8 +1056,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1069,8 +1069,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1080,8 +1080,8 @@ "network.application": "ssl", "network.bytes": 763, "network.community_id": [ - "1:jSansDvvosScCxe+L3E1dgCaoGA=", - "1:0GBJDPaROtJKL84KTZyAcjY3dnM=" + "1:0GBJDPaROtJKL84KTZyAcjY3dnM=", + "1:jSansDvvosScCxe+L3E1dgCaoGA=" ], "network.direction": "unknown", "network.packets": 4, @@ -1118,8 +1118,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -1137,8 +1137,8 @@ "source.packets": 3, "source.port": 49735, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1158,8 +1158,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1171,8 +1171,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1221,8 +1221,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 5515, @@ -1240,8 +1240,8 @@ "source.packets": 10, "source.port": 59652, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1268,8 +1268,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1281,8 +1281,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1292,8 +1292,8 @@ "network.application": "dns", "network.bytes": 226, "network.community_id": [ - "1:rjZLUyzi918RXeJx7TcYqv9rtTA=", - "1:fQ9CdNkui7fy1kmGg3+Q8GoVDj0=" + "1:fQ9CdNkui7fy1kmGg3+Q8GoVDj0=", + "1:rjZLUyzi918RXeJx7TcYqv9rtTA=" ], "network.direction": "unknown", "network.packets": 2, @@ -1330,9 +1330,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 129, @@ -1350,8 +1350,8 @@ "source.packets": 1, "source.port": 44670, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1371,8 +1371,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1384,8 +1384,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1395,8 +1395,8 @@ "network.application": "ssl", "network.bytes": 905, "network.community_id": [ - "1:UoT96BuGScPef2zT4Or/oTpjPIA=", - "1:KTKTGO4zN+SNmL9OPeJNGCD6uHQ=" + "1:KTKTGO4zN+SNmL9OPeJNGCD6uHQ=", + "1:UoT96BuGScPef2zT4Or/oTpjPIA=" ], "network.direction": "unknown", "network.packets": 9, @@ -1433,8 +1433,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -1452,8 +1452,8 @@ "source.packets": 5, "source.port": 34594, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1473,8 +1473,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1486,8 +1486,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1497,8 +1497,8 @@ "network.application": "ssl", "network.bytes": 839, "network.community_id": [ - "1:XJXk4nygeZp8TS/14vBLhg+DfKI=", - "1:NZS7k9NnI0I+UkcHh8YmUK6arRY=" + "1:NZS7k9NnI0I+UkcHh8YmUK6arRY=", + "1:XJXk4nygeZp8TS/14vBLhg+DfKI=" ], "network.direction": "unknown", "network.packets": 8, @@ -1535,8 +1535,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -1554,8 +1554,8 @@ "source.packets": 4, "source.port": 39016, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1575,8 +1575,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1588,8 +1588,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1599,8 +1599,8 @@ "network.application": "ssl", "network.bytes": 575, "network.community_id": [ - "1:cyfPySal4nz545m2yAKQxGRkQtY=", - "1:GJcy1iCLbuSC9VsigjDlTq8eDww=" + "1:GJcy1iCLbuSC9VsigjDlTq8eDww=", + "1:cyfPySal4nz545m2yAKQxGRkQtY=" ], "network.direction": "unknown", "network.packets": 4, @@ -1637,8 +1637,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -1656,8 +1656,8 @@ "source.packets": 3, "source.port": 37455, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1684,8 +1684,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1697,8 +1697,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1746,9 +1746,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 130, @@ -1766,8 +1766,8 @@ "source.packets": 1, "source.port": 42451, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1794,8 +1794,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1807,8 +1807,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1856,9 +1856,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -1876,8 +1876,8 @@ "source.packets": 1, "source.port": 49896, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1904,8 +1904,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1917,8 +1917,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -1966,9 +1966,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -1986,8 +1986,8 @@ "source.packets": 1, "source.port": 40588, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2014,8 +2014,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2027,8 +2027,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2038,8 +2038,8 @@ "network.application": "ssl", "network.bytes": 763, "network.community_id": [ - "1:Wv3VMrLUEcUjsT5UjLKEFYGGqGM=", - "1:HoE83whEKEhxbOay6K/r+N+p5x8=" + "1:HoE83whEKEhxbOay6K/r+N+p5x8=", + "1:Wv3VMrLUEcUjsT5UjLKEFYGGqGM=" ], "network.direction": "unknown", "network.packets": 4, @@ -2076,9 +2076,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "172.217.23.174", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -2096,8 +2096,8 @@ "source.packets": 3, "source.port": 59655, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2124,8 +2124,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2137,8 +2137,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2149,8 +2149,8 @@ "network.application": "web-browsing", "network.bytes": 5451, "network.community_id": [ - "1:Wv3VMrLUEcUjsT5UjLKEFYGGqGM=", - "1:HoE83whEKEhxbOay6K/r+N+p5x8=" + "1:HoE83whEKEhxbOay6K/r+N+p5x8=", + "1:Wv3VMrLUEcUjsT5UjLKEFYGGqGM=" ], "network.direction": "unknown", "network.packets": 12, @@ -2187,9 +2187,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "172.217.23.174", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 4146, @@ -2207,8 +2207,8 @@ "source.packets": 6, "source.port": 59655, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2235,8 +2235,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2248,8 +2248,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2260,8 +2260,8 @@ "network.application": "google-base", "network.bytes": 5451, "network.community_id": [ - "1:Wv3VMrLUEcUjsT5UjLKEFYGGqGM=", - "1:HoE83whEKEhxbOay6K/r+N+p5x8=" + "1:HoE83whEKEhxbOay6K/r+N+p5x8=", + "1:Wv3VMrLUEcUjsT5UjLKEFYGGqGM=" ], "network.direction": "unknown", "network.packets": 12, @@ -2298,9 +2298,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "172.217.23.174", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 4146, @@ -2318,8 +2318,8 @@ "source.packets": 6, "source.port": 59655, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2339,8 +2339,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2352,8 +2352,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2401,8 +2401,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -2420,8 +2420,8 @@ "source.packets": 3, "source.port": 40078, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2441,8 +2441,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2454,8 +2454,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2465,8 +2465,8 @@ "network.application": "ssl", "network.bytes": 763, "network.community_id": [ - "1:LpzYg9zJ/GxI205Q5GqzVUpPw38=", - "1:/O4itAg7ZU8egCD29pvBS/W6dck=" + "1:/O4itAg7ZU8egCD29pvBS/W6dck=", + "1:LpzYg9zJ/GxI205Q5GqzVUpPw38=" ], "network.direction": "unknown", "network.packets": 4, @@ -2503,8 +2503,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -2522,8 +2522,8 @@ "source.packets": 3, "source.port": 49733, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2543,8 +2543,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -2556,8 +2556,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2605,8 +2605,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 110854, @@ -2624,8 +2624,8 @@ "source.packets": 17, "source.port": 49729, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2645,8 +2645,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2658,8 +2658,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2670,8 +2670,8 @@ "network.application": "google-base", "network.bytes": 7130, "network.community_id": [ - "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=", - "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=" + "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=", + "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=" ], "network.direction": "unknown", "network.packets": 22, @@ -2708,8 +2708,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 5611, @@ -2727,8 +2727,8 @@ "source.packets": 10, "source.port": 59651, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2755,8 +2755,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2768,8 +2768,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2818,9 +2818,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "172.217.23.174", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 4147, @@ -2838,8 +2838,8 @@ "source.packets": 6, "source.port": 59654, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2866,8 +2866,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2879,8 +2879,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2928,9 +2928,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "172.217.23.174", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -2948,8 +2948,8 @@ "source.packets": 3, "source.port": 59654, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2976,8 +2976,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2989,8 +2989,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3039,9 +3039,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "172.217.23.174", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 4147, @@ -3059,8 +3059,8 @@ "source.packets": 6, "source.port": 59654, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3087,8 +3087,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3100,8 +3100,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3149,9 +3149,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 125, @@ -3169,8 +3169,8 @@ "source.packets": 1, "source.port": 46872, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3190,8 +3190,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3203,8 +3203,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3252,8 +3252,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -3271,8 +3271,8 @@ "source.packets": 5, "source.port": 40462, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3292,8 +3292,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3305,8 +3305,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3355,8 +3355,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 4865, @@ -3374,8 +3374,8 @@ "source.packets": 10, "source.port": 59649, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3402,8 +3402,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3415,8 +3415,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3426,8 +3426,8 @@ "network.application": "dns", "network.bytes": 108, "network.community_id": [ - "1:xp7zCX+vHDMEvd7q1q/QqO3ZTRA=", - "1:qxDBcqAWxR8SogCdnvdJWTgWms4=" + "1:qxDBcqAWxR8SogCdnvdJWTgWms4=", + "1:xp7zCX+vHDMEvd7q1q/QqO3ZTRA=" ], "network.direction": "unknown", "network.packets": 1, @@ -3464,9 +3464,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -3484,8 +3484,8 @@ "source.packets": 1, "source.port": 51210, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3512,8 +3512,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3525,8 +3525,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3574,9 +3574,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -3594,8 +3594,8 @@ "source.packets": 1, "source.port": 56105, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3615,8 +3615,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3628,8 +3628,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3677,8 +3677,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -3696,8 +3696,8 @@ "source.packets": 3, "source.port": 39917, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3724,8 +3724,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3737,8 +3737,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -3786,9 +3786,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -3806,8 +3806,8 @@ "source.packets": 1, "source.port": 40172, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3827,8 +3827,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3840,8 +3840,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3889,8 +3889,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -3908,8 +3908,8 @@ "source.packets": 5, "source.port": 33442, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3936,8 +3936,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3949,8 +3949,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3961,8 +3961,8 @@ "network.application": "google-base", "network.bytes": 35266, "network.community_id": [ - "1:pnLeyLsejpK3Vb1vPOzP7JQkyiY=", - "1:W49UlafRORUgFzbUeFlp6YzMV34=" + "1:W49UlafRORUgFzbUeFlp6YzMV34=", + "1:pnLeyLsejpK3Vb1vPOzP7JQkyiY=" ], "network.direction": "unknown", "network.packets": 44, @@ -3999,9 +3999,9 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", + "0.0.0.0", "172.217.23.174", - "0.0.0.0" + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 33437, @@ -4019,8 +4019,8 @@ "source.packets": 15, "source.port": 59650, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4047,8 +4047,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4060,8 +4060,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4071,8 +4071,8 @@ "network.application": "insufficient-data", "network.bytes": 333, "network.community_id": [ - "1:eGEazak93tskGIuJYMJQFKAmW0A=", - "1:NAXZX2WBKcTNrP+yejVeGNUns7M=" + "1:NAXZX2WBKcTNrP+yejVeGNUns7M=", + "1:eGEazak93tskGIuJYMJQFKAmW0A=" ], "network.direction": "unknown", "network.packets": 2, @@ -4109,9 +4109,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.220", - "0.0.0.0" + "208.67.220.220" ], "rule.name": "Internet Access", "server.bytes": 235, @@ -4129,8 +4129,8 @@ "source.packets": 1, "source.port": 35869, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4157,8 +4157,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4170,8 +4170,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4181,8 +4181,8 @@ "network.application": "dns", "network.bytes": 226, "network.community_id": [ - "1:mhzPP3Jf6GGCKiSiLRFxS+1O+P8=", - "1:7NskKvATy4Z2zqSvMm5oTmaU8lE=" + "1:7NskKvATy4Z2zqSvMm5oTmaU8lE=", + "1:mhzPP3Jf6GGCKiSiLRFxS+1O+P8=" ], "network.direction": "unknown", "network.packets": 2, @@ -4219,9 +4219,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 129, @@ -4239,8 +4239,8 @@ "source.packets": 1, "source.port": 35510, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4267,8 +4267,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4280,8 +4280,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4291,8 +4291,8 @@ "network.application": "dns", "network.bytes": 228, "network.community_id": [ - "1:hGEE8bbZRooRdQ8XY9O8pxn6TDQ=", - "1:/DGROGpCvGwdwpEooDiBdsS9YB8=" + "1:/DGROGpCvGwdwpEooDiBdsS9YB8=", + "1:hGEE8bbZRooRdQ8XY9O8pxn6TDQ=" ], "network.direction": "unknown", "network.packets": 2, @@ -4329,9 +4329,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 130, @@ -4349,8 +4349,8 @@ "source.packets": 1, "source.port": 40766, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4377,8 +4377,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4390,8 +4390,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4439,9 +4439,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.220", - "0.0.0.0" + "208.67.220.220" ], "rule.name": "Internet Access", "server.bytes": 657, @@ -4459,8 +4459,8 @@ "source.packets": 1, "source.port": 54348, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4480,8 +4480,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4493,8 +4493,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4542,8 +4542,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -4561,8 +4561,8 @@ "source.packets": 3, "source.port": 38650, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4589,8 +4589,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4602,8 +4602,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4651,9 +4651,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.220", - "0.0.0.0" + "208.67.220.220" ], "rule.name": "Internet Access", "server.bytes": 538, @@ -4671,8 +4671,8 @@ "source.packets": 1, "source.port": 46538, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4692,8 +4692,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4705,8 +4705,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4754,8 +4754,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 17785, @@ -4773,8 +4773,8 @@ "source.packets": 10, "source.port": 49728, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4801,8 +4801,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4814,8 +4814,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4825,8 +4825,8 @@ "network.application": "dnscrypt", "network.bytes": 584, "network.community_id": [ - "1:RsPmin1FC/N3/Zpn60TkmXySqaY=", - "1:/jn8z00HDRDOUTffxLU1smVPZ6g=" + "1:/jn8z00HDRDOUTffxLU1smVPZ6g=", + "1:RsPmin1FC/N3/Zpn60TkmXySqaY=" ], "network.direction": "unknown", "network.packets": 2, @@ -4863,9 +4863,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.3", - "208.67.222.222", - "0.0.0.0" + "208.67.222.222" ], "rule.name": "Internet Access", "server.bytes": 218, @@ -4883,8 +4883,8 @@ "source.packets": 1, "source.port": 55300, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4911,8 +4911,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4924,8 +4924,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -4935,8 +4935,8 @@ "network.application": "dnscrypt", "network.bytes": 681, "network.community_id": [ - "1:k+KidTvhgSviQreeEACLnjNoBSU=", - "1:2I4+aXpj8cd6jt5DOrEvRQP51Ts=" + "1:2I4+aXpj8cd6jt5DOrEvRQP51Ts=", + "1:k+KidTvhgSviQreeEACLnjNoBSU=" ], "network.direction": "unknown", "network.packets": 2, @@ -4973,9 +4973,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.3", - "208.67.222.222", - "0.0.0.0" + "208.67.222.222" ], "rule.name": "Internet Access", "server.bytes": 379, @@ -4993,8 +4993,8 @@ "source.packets": 1, "source.port": 55301, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5014,8 +5014,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5027,8 +5027,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -5076,8 +5076,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -5095,8 +5095,8 @@ "source.packets": 3, "source.port": 49732, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5123,8 +5123,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5136,8 +5136,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5185,9 +5185,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.220", - "0.0.0.0" + "208.67.220.220" ], "rule.name": "Internet Access", "server.bytes": 133, @@ -5205,8 +5205,8 @@ "source.packets": 1, "source.port": 43393, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5233,8 +5233,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5246,8 +5246,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5295,9 +5295,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.222.222", - "0.0.0.0" + "208.67.222.222" ], "rule.name": "Internet Access", "server.bytes": 133, @@ -5315,8 +5315,8 @@ "source.packets": 1, "source.port": 50971, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5336,8 +5336,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5349,8 +5349,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -5361,8 +5361,8 @@ "network.application": "google-base", "network.bytes": 4694, "network.community_id": [ - "1:is7Zoy+gpeqr8NVWl6AZXGcsbyk=", - "1:e6Qwg0DrQS1hYKbNdrOZPkpJ9Og=" + "1:e6Qwg0DrQS1hYKbNdrOZPkpJ9Og=", + "1:is7Zoy+gpeqr8NVWl6AZXGcsbyk=" ], "network.direction": "unknown", "network.packets": 12, @@ -5399,8 +5399,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 3412, @@ -5418,8 +5418,8 @@ "source.packets": 6, "source.port": 59653, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5446,8 +5446,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5459,8 +5459,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5508,9 +5508,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.220", - "0.0.0.0" + "208.67.220.220" ], "rule.name": "Internet Access", "server.bytes": 91, @@ -5528,8 +5528,8 @@ "source.packets": 1, "source.port": 51536, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5556,8 +5556,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5569,8 +5569,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5580,8 +5580,8 @@ "network.application": "insufficient-data", "network.bytes": 231, "network.community_id": [ - "1:xgBW+lOsgbhN4U8LF7oZA9CxKtc=", - "1:cvHwb1Aog69nPT6baOZFWd/jjfs=" + "1:cvHwb1Aog69nPT6baOZFWd/jjfs=", + "1:xgBW+lOsgbhN4U8LF7oZA9CxKtc=" ], "network.direction": "unknown", "network.packets": 2, @@ -5618,9 +5618,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.222.220", - "0.0.0.0" + "208.67.222.220" ], "rule.name": "Internet Access", "server.bytes": 133, @@ -5638,8 +5638,8 @@ "source.packets": 1, "source.port": 47099, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5666,8 +5666,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5679,8 +5679,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5690,8 +5690,8 @@ "network.application": "insufficient-data", "network.bytes": 231, "network.community_id": [ - "1:jioMi01FXTItbt3mh4s64bZ8a38=", - "1:edhtaEyqLZAVJddtFJEcPYShNe4=" + "1:edhtaEyqLZAVJddtFJEcPYShNe4=", + "1:jioMi01FXTItbt3mh4s64bZ8a38=" ], "network.direction": "unknown", "network.packets": 2, @@ -5728,9 +5728,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.222", - "0.0.0.0" + "208.67.220.222" ], "rule.name": "Internet Access", "server.bytes": 133, @@ -5748,8 +5748,8 @@ "source.packets": 1, "source.port": 38028, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5776,8 +5776,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5789,8 +5789,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5800,8 +5800,8 @@ "network.application": "dns", "network.bytes": 212, "network.community_id": [ - "1:tSs11iGgoCuNAKj4gxnTl4Kol3U=", - "1:r7RzrK1wsSYf4l2Z2EpkkOhFnbk=" + "1:r7RzrK1wsSYf4l2Z2EpkkOhFnbk=", + "1:tSs11iGgoCuNAKj4gxnTl4Kol3U=" ], "network.direction": "unknown", "network.packets": 2, @@ -5838,9 +5838,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.220", - "0.0.0.0" + "208.67.220.220" ], "rule.name": "Internet Access", "server.bytes": 131, @@ -5858,8 +5858,8 @@ "source.packets": 1, "source.port": 39688, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5886,8 +5886,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5899,8 +5899,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5948,9 +5948,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.2", - "208.67.220.220", - "0.0.0.0" + "208.67.220.220" ], "rule.name": "Internet Access", "server.bytes": 212, @@ -5968,8 +5968,8 @@ "source.packets": 2, "source.port": 56601, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5989,8 +5989,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6002,8 +6002,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6013,8 +6013,8 @@ "network.application": "ssl", "network.bytes": 763, "network.community_id": [ - "1:is7Zoy+gpeqr8NVWl6AZXGcsbyk=", - "1:e6Qwg0DrQS1hYKbNdrOZPkpJ9Og=" + "1:e6Qwg0DrQS1hYKbNdrOZPkpJ9Og=", + "1:is7Zoy+gpeqr8NVWl6AZXGcsbyk=" ], "network.direction": "unknown", "network.packets": 4, @@ -6051,8 +6051,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -6070,8 +6070,8 @@ "source.packets": 3, "source.port": 59653, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6091,8 +6091,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6104,8 +6104,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6116,8 +6116,8 @@ "network.application": "web-browsing", "network.bytes": 4694, "network.community_id": [ - "1:is7Zoy+gpeqr8NVWl6AZXGcsbyk=", - "1:e6Qwg0DrQS1hYKbNdrOZPkpJ9Og=" + "1:e6Qwg0DrQS1hYKbNdrOZPkpJ9Og=", + "1:is7Zoy+gpeqr8NVWl6AZXGcsbyk=" ], "network.direction": "unknown", "network.packets": 12, @@ -6154,8 +6154,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 3412, @@ -6173,8 +6173,8 @@ "source.packets": 6, "source.port": 59653, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6194,8 +6194,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -6207,8 +6207,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6257,8 +6257,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 5554, @@ -6276,8 +6276,8 @@ "source.packets": 10, "source.port": 59648, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6297,8 +6297,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6310,8 +6310,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6359,8 +6359,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -6378,8 +6378,8 @@ "source.packets": 5, "source.port": 33731, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6399,8 +6399,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6412,8 +6412,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6423,8 +6423,8 @@ "network.application": "ssl", "network.bytes": 839, "network.community_id": [ - "1:bWPGym1bnaC7ldhngE5x/YDeC7M=", - "1:SEPxhwBCshRHEktuldozsubVTRI=" + "1:SEPxhwBCshRHEktuldozsubVTRI=", + "1:bWPGym1bnaC7ldhngE5x/YDeC7M=" ], "network.direction": "unknown", "network.packets": 8, @@ -6461,8 +6461,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -6480,8 +6480,8 @@ "source.packets": 4, "source.port": 43531, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6501,8 +6501,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6514,8 +6514,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6563,8 +6563,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -6582,8 +6582,8 @@ "source.packets": 3, "source.port": 32801, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6603,8 +6603,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6616,8 +6616,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6665,8 +6665,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -6684,8 +6684,8 @@ "source.packets": 3, "source.port": 37836, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6712,8 +6712,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6725,8 +6725,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6774,9 +6774,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 129, @@ -6794,8 +6794,8 @@ "source.packets": 1, "source.port": 60824, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6822,8 +6822,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6835,8 +6835,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6884,9 +6884,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -6904,8 +6904,8 @@ "source.packets": 1, "source.port": 42403, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6932,8 +6932,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6945,8 +6945,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -6956,8 +6956,8 @@ "network.application": "dns", "network.bytes": 98, "network.community_id": [ - "1:XW3vdS0fzu9SOj7mK2wyCPxwJ0M=", - "1:E6VJqcuMoS+c2cZlIr8+Bs6VQX0=" + "1:E6VJqcuMoS+c2cZlIr8+Bs6VQX0=", + "1:XW3vdS0fzu9SOj7mK2wyCPxwJ0M=" ], "network.direction": "unknown", "network.packets": 1, @@ -6994,9 +6994,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -7014,8 +7014,8 @@ "source.packets": 1, "source.port": 35615, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7035,8 +7035,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7048,8 +7048,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7098,8 +7098,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 3307, @@ -7117,8 +7117,8 @@ "source.packets": 6, "source.port": 59652, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7138,8 +7138,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7151,8 +7151,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7162,8 +7162,8 @@ "network.application": "ssl", "network.bytes": 763, "network.community_id": [ - "1:zBPdo2cbhu/ikZJVxuft5VV4gXc=", - "1:EWt4TLjkII9rdzFzQrCecjyvdNs=" + "1:EWt4TLjkII9rdzFzQrCecjyvdNs=", + "1:zBPdo2cbhu/ikZJVxuft5VV4gXc=" ], "network.direction": "unknown", "network.packets": 4, @@ -7200,8 +7200,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -7219,8 +7219,8 @@ "source.packets": 3, "source.port": 49731, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7240,8 +7240,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -7253,8 +7253,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7302,8 +7302,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 17913, @@ -7321,8 +7321,8 @@ "source.packets": 10, "source.port": 49727, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7342,8 +7342,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7355,8 +7355,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7405,8 +7405,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 3307, @@ -7424,8 +7424,8 @@ "source.packets": 6, "source.port": 59652, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7452,8 +7452,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7465,8 +7465,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7476,8 +7476,8 @@ "network.application": "dns", "network.bytes": 248, "network.community_id": [ - "1:G2ek0+shjHpXaDjxrlNsc5sJLuQ=", - "1:/Xjy04gjbQQiz3Dm/r+6kj+GMg0=" + "1:/Xjy04gjbQQiz3Dm/r+6kj+GMg0=", + "1:G2ek0+shjHpXaDjxrlNsc5sJLuQ=" ], "network.direction": "unknown", "network.packets": 2, @@ -7514,9 +7514,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 140, @@ -7534,8 +7534,8 @@ "source.packets": 1, "source.port": 56089, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7555,8 +7555,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7568,8 +7568,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7617,8 +7617,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -7636,8 +7636,8 @@ "source.packets": 3, "source.port": 59652, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7657,8 +7657,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -7670,8 +7670,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7719,8 +7719,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 19103, @@ -7738,8 +7738,8 @@ "source.packets": 10, "source.port": 49726, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7759,8 +7759,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7772,8 +7772,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7783,8 +7783,8 @@ "network.application": "ssl", "network.bytes": 575, "network.community_id": [ - "1:XJXk4nygeZp8TS/14vBLhg+DfKI=", - "1:NZS7k9NnI0I+UkcHh8YmUK6arRY=" + "1:NZS7k9NnI0I+UkcHh8YmUK6arRY=", + "1:XJXk4nygeZp8TS/14vBLhg+DfKI=" ], "network.direction": "unknown", "network.packets": 4, @@ -7821,8 +7821,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -7840,8 +7840,8 @@ "source.packets": 3, "source.port": 39016, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7868,8 +7868,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7881,8 +7881,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -7930,9 +7930,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -7950,8 +7950,8 @@ "source.packets": 1, "source.port": 40729, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7971,8 +7971,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7984,8 +7984,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8033,8 +8033,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -8052,8 +8052,8 @@ "source.packets": 4, "source.port": 41143, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8073,8 +8073,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8086,8 +8086,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8097,8 +8097,8 @@ "network.application": "ssl", "network.bytes": 839, "network.community_id": [ - "1:wwbXnRPCO0nnVuM2BI2LZzrmQ/g=", - "1:lcVnPe8/T/CLPPjevXJtoYzyOMk=" + "1:lcVnPe8/T/CLPPjevXJtoYzyOMk=", + "1:wwbXnRPCO0nnVuM2BI2LZzrmQ/g=" ], "network.direction": "unknown", "network.packets": 8, @@ -8135,8 +8135,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -8154,8 +8154,8 @@ "source.packets": 4, "source.port": 37533, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8182,8 +8182,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8195,8 +8195,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8244,9 +8244,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 129, @@ -8264,8 +8264,8 @@ "source.packets": 1, "source.port": 42977, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8292,8 +8292,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8305,8 +8305,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8354,9 +8354,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -8374,8 +8374,8 @@ "source.packets": 1, "source.port": 52267, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8402,8 +8402,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8415,8 +8415,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8426,8 +8426,8 @@ "network.application": "dns", "network.bytes": 98, "network.community_id": [ - "1:zdSXmjz/Tji7CoqHzhggI9u9SGo=", - "1:oXHCNatSmIbrlcuJWvZAWRTeyNc=" + "1:oXHCNatSmIbrlcuJWvZAWRTeyNc=", + "1:zdSXmjz/Tji7CoqHzhggI9u9SGo=" ], "network.direction": "unknown", "network.packets": 1, @@ -8464,9 +8464,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -8484,8 +8484,8 @@ "source.packets": 1, "source.port": 38271, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8505,8 +8505,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8518,8 +8518,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8568,8 +8568,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 5616, @@ -8587,8 +8587,8 @@ "source.packets": 10, "source.port": 59647, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8608,8 +8608,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8621,8 +8621,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8632,8 +8632,8 @@ "network.application": "ssl", "network.bytes": 575, "network.community_id": [ - "1:UoT96BuGScPef2zT4Or/oTpjPIA=", - "1:KTKTGO4zN+SNmL9OPeJNGCD6uHQ=" + "1:KTKTGO4zN+SNmL9OPeJNGCD6uHQ=", + "1:UoT96BuGScPef2zT4Or/oTpjPIA=" ], "network.direction": "unknown", "network.packets": 4, @@ -8670,8 +8670,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -8689,8 +8689,8 @@ "source.packets": 3, "source.port": 34594, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8710,8 +8710,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8723,8 +8723,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8772,8 +8772,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -8791,8 +8791,8 @@ "source.packets": 3, "source.port": 34531, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8812,8 +8812,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8825,8 +8825,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8874,8 +8874,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -8893,8 +8893,8 @@ "source.packets": 3, "source.port": 34531, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8921,8 +8921,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8934,8 +8934,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -8945,8 +8945,8 @@ "network.application": "dns", "network.bytes": 108, "network.community_id": [ - "1:n1xJjm8dA0w4NLBOwk4MphDhs/8=", - "1:gXS9tqyuBg6/0KzAEU4EdHyNAoI=" + "1:gXS9tqyuBg6/0KzAEU4EdHyNAoI=", + "1:n1xJjm8dA0w4NLBOwk4MphDhs/8=" ], "network.direction": "unknown", "network.packets": 1, @@ -8983,9 +8983,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -9003,8 +9003,8 @@ "source.packets": 1, "source.port": 39926, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9031,8 +9031,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9044,8 +9044,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9093,9 +9093,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -9113,8 +9113,8 @@ "source.packets": 1, "source.port": 50703, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9141,8 +9141,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9154,8 +9154,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9165,8 +9165,8 @@ "network.application": "dns", "network.bytes": 205, "network.community_id": [ - "1:Vd+4wF3BBhfIti3Ac78v09oGnBA=", - "1:/8/NBiUHojwG7Xg0G7kYyPaXr8g=" + "1:/8/NBiUHojwG7Xg0G7kYyPaXr8g=", + "1:Vd+4wF3BBhfIti3Ac78v09oGnBA=" ], "network.direction": "unknown", "network.packets": 2, @@ -9203,9 +9203,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 130, @@ -9223,8 +9223,8 @@ "source.packets": 1, "source.port": 44390, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9251,8 +9251,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9264,8 +9264,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9313,9 +9313,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.3", - "208.67.222.222", - "0.0.0.0" + "208.67.222.222" ], "rule.name": "Internet Access", "server.bytes": 124, @@ -9333,8 +9333,8 @@ "source.packets": 1, "source.port": 62393, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9354,8 +9354,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9367,8 +9367,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9416,8 +9416,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.3", - "0.0.0.0" + "0.0.0.0", + "192.168.2.3" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -9435,8 +9435,8 @@ "source.packets": 3, "source.port": 49729, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9463,8 +9463,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9476,8 +9476,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9525,9 +9525,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 155, @@ -9545,8 +9545,8 @@ "source.packets": 1, "source.port": 52595, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9566,8 +9566,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9579,8 +9579,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9590,8 +9590,8 @@ "network.application": "ssl", "network.bytes": 763, "network.community_id": [ - "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=", - "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=" + "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=", + "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=" ], "network.direction": "unknown", "network.packets": 4, @@ -9628,8 +9628,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 66, @@ -9647,8 +9647,8 @@ "source.packets": 3, "source.port": 59651, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9668,8 +9668,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9681,8 +9681,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9693,8 +9693,8 @@ "network.application": "web-browsing", "network.bytes": 4691, "network.community_id": [ - "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=", - "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=" + "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=", + "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=" ], "network.direction": "unknown", "network.packets": 12, @@ -9731,8 +9731,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 3412, @@ -9750,8 +9750,8 @@ "source.packets": 6, "source.port": 59651, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9771,8 +9771,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9784,8 +9784,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9796,8 +9796,8 @@ "network.application": "google-base", "network.bytes": 4691, "network.community_id": [ - "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=", - "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=" + "1:/QO7BHQDGPe9VuWS4lQmlmUrL8Y=", + "1:BOxKcnspSYeGlEIAq4kZRZUOQwI=" ], "network.direction": "unknown", "network.packets": 12, @@ -9834,8 +9834,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 3412, @@ -9853,8 +9853,8 @@ "source.packets": 6, "source.port": 59651, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9881,8 +9881,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9894,8 +9894,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -9905,8 +9905,8 @@ "network.application": "dns", "network.bytes": 88, "network.community_id": [ - "1:xTgEWF1j1WlUrwPBxPE1w6cIEQ0=", - "1:8mJEAxlzSAN7kI8RxRD+VJaaFr4=" + "1:8mJEAxlzSAN7kI8RxRD+VJaaFr4=", + "1:xTgEWF1j1WlUrwPBxPE1w6cIEQ0=" ], "network.direction": "unknown", "network.packets": 1, @@ -9943,9 +9943,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.1.3", - "208.67.222.222", - "0.0.0.0" + "208.67.222.222" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -9963,8 +9963,8 @@ "source.packets": 1, "source.port": 61558, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9991,8 +9991,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10004,8 +10004,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -10053,9 +10053,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.3", - "208.67.222.222", - "0.0.0.0" + "208.67.222.222" ], "rule.name": "Internet Access", "server.bytes": 666, @@ -10073,8 +10073,8 @@ "source.packets": 1, "source.port": 54614, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10094,8 +10094,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10107,8 +10107,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10118,8 +10118,8 @@ "network.application": "ssl", "network.bytes": 905, "network.community_id": [ - "1:xHcxAhO0Fj+/iw9FFtnTiLDB4CM=", - "1:hjTmLDNLgTfKYeqE27Mpin3oB/4=" + "1:hjTmLDNLgTfKYeqE27Mpin3oB/4=", + "1:xHcxAhO0Fj+/iw9FFtnTiLDB4CM=" ], "network.direction": "unknown", "network.packets": 9, @@ -10156,8 +10156,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -10175,8 +10175,8 @@ "source.packets": 5, "source.port": 40343, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10196,8 +10196,8 @@ "destination.port": 514, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10209,8 +10209,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10258,8 +10258,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 272, @@ -10277,8 +10277,8 @@ "source.packets": 5, "source.port": 34636, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10305,8 +10305,8 @@ "destination.port": 53, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10318,8 +10318,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -10329,8 +10329,8 @@ "network.application": "dns", "network.bytes": 97, "network.community_id": [ - "1:tiZQiOsx7Hl1UTep1NIb5ys9EJI=", - "1:034cmEuUmzrfPtJNEB6qtgQkEM4=" + "1:034cmEuUmzrfPtJNEB6qtgQkEM4=", + "1:tiZQiOsx7Hl1UTep1NIb5ys9EJI=" ], "network.direction": "unknown", "network.packets": 1, @@ -10367,9 +10367,9 @@ "PA-VM" ], "related.ip": [ + "0.0.0.0", "192.168.2.4", - "8.8.8.8", - "0.0.0.0" + "8.8.8.8" ], "rule.name": "Internet Access", "server.bytes": 0, @@ -10387,8 +10387,8 @@ "source.packets": 1, "source.port": 59479, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10408,8 +10408,8 @@ "destination.port": 514, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10421,8 +10421,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -10470,8 +10470,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.4", - "0.0.0.0" + "0.0.0.0", + "192.168.2.4" ], "rule.name": "Internet Access", "server.bytes": 74, @@ -10489,8 +10489,8 @@ "source.packets": 3, "source.port": 40462, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10510,8 +10510,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10523,8 +10523,8 @@ "event.timezone": "+01:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10573,8 +10573,8 @@ "PA-VM" ], "related.ip": [ - "192.168.2.2", - "0.0.0.0" + "0.0.0.0", + "192.168.2.2" ], "rule.name": "Internet Access", "server.bytes": 5612, @@ -10592,8 +10592,8 @@ "source.packets": 10, "source.port": 59646, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index ef9975180c1..5b0758c8d4f 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -20,9 +20,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -80,9 +80,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -97,8 +97,8 @@ "source.nat.port": 37679, "source.port": 52984, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -125,9 +125,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -147,8 +147,8 @@ "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:svoGHRUXQeOT1QlGYhMbEalRiPU=", - "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=" + "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=", + "1:svoGHRUXQeOT1QlGYhMbEalRiPU=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -185,9 +185,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -202,8 +202,8 @@ "source.nat.port": 28249, "source.port": 52983, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -230,9 +230,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -252,8 +252,8 @@ "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:cl1ZW9fCG1bKgQuAww26hYqxyq0=", - "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=" + "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=", + "1:cl1ZW9fCG1bKgQuAww26hYqxyq0=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -290,9 +290,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -307,8 +307,8 @@ "source.nat.port": 63898, "source.port": 52986, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -335,9 +335,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -395,9 +395,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -412,8 +412,8 @@ "source.nat.port": 7515, "source.port": 52985, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -440,9 +440,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -462,8 +462,8 @@ "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:ZuULYSnnlQSsdqWsfJBHQTPqbJo=", - "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=" + "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=", + "1:ZuULYSnnlQSsdqWsfJBHQTPqbJo=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -500,9 +500,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -517,8 +517,8 @@ "source.nat.port": 3225, "source.port": 52987, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -545,9 +545,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -567,8 +567,8 @@ "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:ovf/7i/MclKhY1UKalpHzmmlthk=", - "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=" + "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=", + "1:ovf/7i/MclKhY1UKalpHzmmlthk=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -605,9 +605,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -622,8 +622,8 @@ "source.nat.port": 60449, "source.port": 52988, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -650,9 +650,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -710,9 +710,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -727,8 +727,8 @@ "source.nat.port": 60559, "source.port": 52990, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -755,9 +755,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -815,9 +815,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -832,8 +832,8 @@ "source.nat.port": 47414, "source.port": 52989, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -860,9 +860,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -882,8 +882,8 @@ "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:UDkY52oWrSsYAqwPSTAKyKhwzvQ=", - "1:BilmVEwf9nQIXodvin3X6lZuVAc=" + "1:BilmVEwf9nQIXodvin3X6lZuVAc=", + "1:UDkY52oWrSsYAqwPSTAKyKhwzvQ=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -920,9 +920,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -937,8 +937,8 @@ "source.nat.port": 37673, "source.port": 52992, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -965,9 +965,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -987,8 +987,8 @@ "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:pWCQCkwDKmw2APwAJ2GcT6QNXQg=", - "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=" + "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=", + "1:pWCQCkwDKmw2APwAJ2GcT6QNXQg=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -1025,9 +1025,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1042,8 +1042,8 @@ "source.nat.port": 8232, "source.port": 52991, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1070,9 +1070,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1130,9 +1130,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1147,8 +1147,8 @@ "source.nat.port": 32982, "source.port": 52994, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1175,9 +1175,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1235,9 +1235,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1252,8 +1252,8 @@ "source.nat.port": 10473, "source.port": 52993, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1280,9 +1280,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1302,8 +1302,8 @@ "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:r3rve3ghPTa/BACcRlan0FEgZFw=", - "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=" + "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=", + "1:r3rve3ghPTa/BACcRlan0FEgZFw=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -1340,9 +1340,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1357,8 +1357,8 @@ "source.nat.port": 20446, "source.port": 52995, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1385,9 +1385,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1445,9 +1445,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1462,8 +1462,8 @@ "source.nat.port": 34699, "source.port": 52996, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1490,9 +1490,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1512,8 +1512,8 @@ "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:ttgSlbqHs+GKueSexHsquCbfjCk=", - "1:lJHLfl+/x95GohXozN52zokIxvA=" + "1:lJHLfl+/x95GohXozN52zokIxvA=", + "1:ttgSlbqHs+GKueSexHsquCbfjCk=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -1550,9 +1550,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1567,8 +1567,8 @@ "source.nat.port": 22820, "source.port": 52997, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1595,9 +1595,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1617,8 +1617,8 @@ "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:h4Yhxi4lfeFiizTNiugYzEk9CM4=", - "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=" + "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=", + "1:h4Yhxi4lfeFiizTNiugYzEk9CM4=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -1655,9 +1655,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1672,8 +1672,8 @@ "source.nat.port": 41060, "source.port": 52998, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1700,9 +1700,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1760,9 +1760,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1777,8 +1777,8 @@ "source.nat.port": 9058, "source.port": 52999, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1805,9 +1805,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1865,9 +1865,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1882,8 +1882,8 @@ "source.nat.port": 54846, "source.port": 53001, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -1910,9 +1910,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -1932,8 +1932,8 @@ "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:X4Zvg9D/bP0EYECRSLna3za4r68=", - "1:9noBCzeHKSZpuQWETkS7W5mOTT0=" + "1:9noBCzeHKSZpuQWETkS7W5mOTT0=", + "1:X4Zvg9D/bP0EYECRSLna3za4r68=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -1970,9 +1970,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1987,8 +1987,8 @@ "source.nat.port": 52731, "source.port": 53002, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2015,9 +2015,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2037,8 +2037,8 @@ "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:greC2ffRfw5diAvjZvd+je5rhrk=", - "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=" + "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=", + "1:greC2ffRfw5diAvjZvd+je5rhrk=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -2075,9 +2075,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2092,8 +2092,8 @@ "source.nat.port": 15165, "source.port": 53003, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2120,9 +2120,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2180,9 +2180,9 @@ "b.scorecardresearch.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.137.131", - "192.168.1.63" + "23.72.137.131" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.137.131", @@ -2197,8 +2197,8 @@ "source.nat.port": 53918, "source.port": 53004, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "b.scorecardresearch.com", "url.original": "b.scorecardresearch.com/", @@ -2225,9 +2225,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2285,9 +2285,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2302,8 +2302,8 @@ "source.nat.port": 40792, "source.port": 53000, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2330,9 +2330,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2352,8 +2352,8 @@ "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:oWKucHrzLhzCpDmWJPLBELyMrzw=", - "1:WmnET8BZufXJpdVk04PIVGj+Kgk=" + "1:WmnET8BZufXJpdVk04PIVGj+Kgk=", + "1:oWKucHrzLhzCpDmWJPLBELyMrzw=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -2390,9 +2390,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2407,8 +2407,8 @@ "source.nat.port": 54044, "source.port": 53006, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2435,9 +2435,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2495,9 +2495,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2512,8 +2512,8 @@ "source.nat.port": 19544, "source.port": 53007, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2540,9 +2540,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2600,9 +2600,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2617,8 +2617,8 @@ "source.nat.port": 13462, "source.port": 53008, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2645,9 +2645,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2705,9 +2705,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2722,8 +2722,8 @@ "source.nat.port": 44892, "source.port": 53010, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2750,9 +2750,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2772,8 +2772,8 @@ "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:l33FK2i+ASkvlnDYQYRCH4evHcI=", - "1:00oN9bToRGtVdpy+GQ742sbkpfI=" + "1:00oN9bToRGtVdpy+GQ742sbkpfI=", + "1:l33FK2i+ASkvlnDYQYRCH4evHcI=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -2810,9 +2810,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2827,8 +2827,8 @@ "source.nat.port": 16487, "source.port": 53011, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2855,9 +2855,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2877,8 +2877,8 @@ "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:cSD3ZfDTv0BFEStL/v2rRm0wow0=", - "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=" + "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=", + "1:cSD3ZfDTv0BFEStL/v2rRm0wow0=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -2915,9 +2915,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2932,8 +2932,8 @@ "source.nat.port": 23952, "source.port": 53012, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -2960,9 +2960,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -2982,8 +2982,8 @@ "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:l8cnTJWO0qdKrXtvCBWHbQUpvgE=", - "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=" + "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=", + "1:l8cnTJWO0qdKrXtvCBWHbQUpvgE=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -3020,9 +3020,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3037,8 +3037,8 @@ "source.nat.port": 2810, "source.port": 53013, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -3065,9 +3065,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3125,9 +3125,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3142,8 +3142,8 @@ "source.nat.port": 13272, "source.port": 53014, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -3170,9 +3170,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3230,9 +3230,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3247,8 +3247,8 @@ "source.nat.port": 8663, "source.port": 53022, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -3275,9 +3275,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3335,9 +3335,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3352,8 +3352,8 @@ "source.nat.port": 55738, "source.port": 53023, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -3380,9 +3380,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3402,8 +3402,8 @@ "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:spPQtp0F92JeXKXtvGndU6vymNo=", - "1:sWvGFBOOisURcvYe5nB5HUSa6B8=" + "1:sWvGFBOOisURcvYe5nB5HUSa6B8=", + "1:spPQtp0F92JeXKXtvGndU6vymNo=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -3440,9 +3440,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3457,8 +3457,8 @@ "source.nat.port": 10650, "source.port": 53024, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -3485,9 +3485,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3507,8 +3507,8 @@ "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:xBwOt7zrEs9oyuV1oEHKLKXdg1Q=", - "1:LHZawFx+zgZPTd01rJqX/31kNmE=" + "1:LHZawFx+zgZPTd01rJqX/31kNmE=", + "1:xBwOt7zrEs9oyuV1oEHKLKXdg1Q=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -3545,9 +3545,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3562,8 +3562,8 @@ "source.nat.port": 44087, "source.port": 53025, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -3590,9 +3590,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3612,8 +3612,8 @@ "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:z5jHjldbSP1U0TqDWR9Uox2k3Js=", - "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=" + "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=", + "1:z5jHjldbSP1U0TqDWR9Uox2k3Js=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -3650,9 +3650,9 @@ "consent.cmp.oath.com" ], "related.ip": [ - "192.168.15.224", "152.195.55.192", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3667,8 +3667,8 @@ "source.nat.port": 15915, "source.port": 53026, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "consent.cmp.oath.com", "url.original": "consent.cmp.oath.com/", @@ -3695,9 +3695,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3717,8 +3717,8 @@ "log.original": "Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:tQxUFWF1PJh9XS+U53oZgNQELoA=", - "1:XdO4yHx+1HZM4GcutRTyur9ixdM=" + "1:XdO4yHx+1HZM4GcutRTyur9ixdM=", + "1:tQxUFWF1PJh9XS+U53oZgNQELoA=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -3755,9 +3755,9 @@ "cdn.taboola.com" ], "related.ip": [ - "192.168.15.224", "151.101.2.2", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.ip": "151.101.2.2", @@ -3772,8 +3772,8 @@ "source.nat.port": 41165, "source.port": 53041, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "cdn.taboola.com", "url.original": "cdn.taboola.com/", @@ -3803,9 +3803,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3863,9 +3863,9 @@ "rules.quantcount.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.192.7.152", - "192.168.1.63" + "54.192.7.152" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.192.7.152", @@ -3880,8 +3880,8 @@ "source.nat.port": 54133, "source.port": 53040, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "rules.quantcount.com", "url.original": "rules.quantcount.com/", @@ -3911,9 +3911,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -3971,9 +3971,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -3988,8 +3988,8 @@ "source.nat.port": 8485, "source.port": 53093, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4019,9 +4019,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4079,9 +4079,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4096,8 +4096,8 @@ "source.nat.port": 12496, "source.port": 53094, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4127,9 +4127,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4187,9 +4187,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4204,8 +4204,8 @@ "source.nat.port": 17029, "source.port": 53095, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4235,9 +4235,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4295,9 +4295,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4312,8 +4312,8 @@ "source.nat.port": 23696, "source.port": 53096, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4343,9 +4343,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4365,8 +4365,8 @@ "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:Z8gFtZEJJ5xho2+kyaSyoXp1O/I=", - "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=" + "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=", + "1:Z8gFtZEJJ5xho2+kyaSyoXp1O/I=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -4403,9 +4403,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4420,8 +4420,8 @@ "source.nat.port": 34769, "source.port": 53097, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4451,9 +4451,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4511,9 +4511,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4528,8 +4528,8 @@ "source.nat.port": 22486, "source.port": 53099, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4559,9 +4559,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4619,9 +4619,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4636,8 +4636,8 @@ "source.nat.port": 12894, "source.port": 53100, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4667,9 +4667,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4689,8 +4689,8 @@ "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:T7UcACShDtZytIaufQKjiQ8jkhM=", - "1:/GTSxrH684FoBXpyEBepCy2M81Q=" + "1:/GTSxrH684FoBXpyEBepCy2M81Q=", + "1:T7UcACShDtZytIaufQKjiQ8jkhM=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -4727,9 +4727,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4744,8 +4744,8 @@ "source.nat.port": 62348, "source.port": 53101, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4775,9 +4775,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4835,9 +4835,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4852,8 +4852,8 @@ "source.nat.port": 6224, "source.port": 53104, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4883,9 +4883,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -4943,9 +4943,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4960,8 +4960,8 @@ "source.nat.port": 44120, "source.port": 53107, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -4991,9 +4991,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5013,8 +5013,8 @@ "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:abQPCp6V8x2Fumiz5x/+vZnuNfM=", - "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=" + "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=", + "1:abQPCp6V8x2Fumiz5x/+vZnuNfM=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -5051,9 +5051,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5068,8 +5068,8 @@ "source.nat.port": 44228, "source.port": 53108, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -5099,9 +5099,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5159,9 +5159,9 @@ "srv-2018-11-30-22.config.parsely.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.4.120.175", - "192.168.1.63" + "52.4.120.175" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5176,8 +5176,8 @@ "source.nat.port": 31322, "source.port": 53109, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "srv-2018-11-30-22.config.parsely.com", "url.original": "srv-2018-11-30-22.config.parsely.com/", @@ -5207,9 +5207,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5229,8 +5229,8 @@ "log.original": "Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:iBwlaPm6awPJaLJMdMMVOH9f5RU=", - "1:WQC21tSR1QNUhWYgrcbgaLyTkos=" + "1:WQC21tSR1QNUhWYgrcbgaLyTkos=", + "1:iBwlaPm6awPJaLJMdMMVOH9f5RU=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -5267,9 +5267,9 @@ "www.googleadservices.com" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "216.58.194.98", - "192.168.1.63" + "216.58.194.98" ], "rule.name": "new_outbound_from_trust", "server.ip": "216.58.194.98", @@ -5284,8 +5284,8 @@ "source.nat.port": 1672, "source.port": 53118, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "www.googleadservices.com", "url.original": "www.googleadservices.com/", @@ -5312,9 +5312,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5372,9 +5372,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5389,8 +5389,8 @@ "source.nat.port": 20801, "source.port": 53126, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -5417,9 +5417,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5477,9 +5477,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5494,8 +5494,8 @@ "source.nat.port": 24533, "source.port": 53127, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -5522,9 +5522,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5582,9 +5582,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5599,8 +5599,8 @@ "source.nat.port": 30150, "source.port": 53128, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -5627,9 +5627,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5687,9 +5687,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5704,8 +5704,8 @@ "source.nat.port": 36305, "source.port": 53129, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -5732,9 +5732,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5754,8 +5754,8 @@ "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:Ob0VEjF8YeGq1hR7SbX0pZ+5/EI=", - "1:93oplAL+YibXq75Qng9iomHp97k=" + "1:93oplAL+YibXq75Qng9iomHp97k=", + "1:Ob0VEjF8YeGq1hR7SbX0pZ+5/EI=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -5792,9 +5792,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5809,8 +5809,8 @@ "source.nat.port": 42682, "source.port": 53130, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -5837,9 +5837,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5897,9 +5897,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5914,8 +5914,8 @@ "source.nat.port": 22530, "source.port": 53131, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -5942,9 +5942,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -5964,8 +5964,8 @@ "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:U5qBRasQ13RQONeFOyA2+9QbWK8=", - "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=" + "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=", + "1:U5qBRasQ13RQONeFOyA2+9QbWK8=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -6002,9 +6002,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6019,8 +6019,8 @@ "source.nat.port": 43713, "source.port": 53132, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -6047,9 +6047,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6069,8 +6069,8 @@ "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:S99EiT3uXg1VHeNM5TVPoeW1Zrk=", - "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=" + "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=", + "1:S99EiT3uXg1VHeNM5TVPoeW1Zrk=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -6107,9 +6107,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6124,8 +6124,8 @@ "source.nat.port": 60608, "source.port": 53133, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -6152,9 +6152,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6212,9 +6212,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6229,8 +6229,8 @@ "source.nat.port": 9302, "source.port": 53134, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -6257,9 +6257,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6279,8 +6279,8 @@ "log.original": "Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:Z6zBvBoA+0NQryjJ96nYaFcOuXw=", - "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=" + "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=", + "1:Z6zBvBoA+0NQryjJ96nYaFcOuXw=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -6317,9 +6317,9 @@ "service.maxymiser.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.72.145.245", - "192.168.1.63" + "23.72.145.245" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6334,8 +6334,8 @@ "source.nat.port": 11634, "source.port": 53135, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "service.maxymiser.net", "url.original": "service.maxymiser.net/", @@ -6365,9 +6365,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6387,8 +6387,8 @@ "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:Qo8vSWzvn9QN5ADlmHxjJft+bxA=", - "1:1XJhGS1EujYy5wSCA64wjjK7hwA=" + "1:1XJhGS1EujYy5wSCA64wjjK7hwA=", + "1:Qo8vSWzvn9QN5ADlmHxjJft+bxA=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -6425,9 +6425,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6442,8 +6442,8 @@ "source.nat.port": 30818, "source.port": 53152, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -6473,9 +6473,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6533,9 +6533,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6550,8 +6550,8 @@ "source.nat.port": 64260, "source.port": 53155, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -6581,9 +6581,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6641,9 +6641,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6658,8 +6658,8 @@ "source.nat.port": 7071, "source.port": 53158, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -6689,9 +6689,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6749,9 +6749,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6766,8 +6766,8 @@ "source.nat.port": 4512, "source.port": 53160, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -6797,9 +6797,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6819,8 +6819,8 @@ "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:zcJ3HhZj3urz6vGwVhseviLv7kY=", - "1:KhCfFcRk3sovsTfN9pRRfgjsP84=" + "1:KhCfFcRk3sovsTfN9pRRfgjsP84=", + "1:zcJ3HhZj3urz6vGwVhseviLv7kY=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -6857,9 +6857,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6874,8 +6874,8 @@ "source.nat.port": 3422, "source.port": 53161, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -6905,9 +6905,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -6965,9 +6965,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6982,8 +6982,8 @@ "source.nat.port": 4651, "source.port": 53162, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7013,9 +7013,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7035,8 +7035,8 @@ "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:oQCUvcNDUq8NlFsOiIljRD/md2E=", - "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=" + "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=", + "1:oQCUvcNDUq8NlFsOiIljRD/md2E=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -7073,9 +7073,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7090,8 +7090,8 @@ "source.nat.port": 19068, "source.port": 53163, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7121,9 +7121,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7181,9 +7181,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7198,8 +7198,8 @@ "source.nat.port": 5831, "source.port": 53164, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7229,9 +7229,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7251,8 +7251,8 @@ "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:fsi7g4zFbrFG09Mvo8P/WofCEKc=", - "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=" + "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=", + "1:fsi7g4zFbrFG09Mvo8P/WofCEKc=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -7289,9 +7289,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7306,8 +7306,8 @@ "source.nat.port": 7084, "source.port": 53165, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7337,9 +7337,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7359,8 +7359,8 @@ "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:wICcAfDG87s8YdjIhDgBqv6mTws=", - "1:/wf94ECkqPez+fxVgk+3KErtaBQ=" + "1:/wf94ECkqPez+fxVgk+3KErtaBQ=", + "1:wICcAfDG87s8YdjIhDgBqv6mTws=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -7397,9 +7397,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7414,8 +7414,8 @@ "source.nat.port": 18633, "source.port": 53166, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7445,9 +7445,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7505,9 +7505,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7522,8 +7522,8 @@ "source.nat.port": 25557, "source.port": 53167, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7553,9 +7553,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7575,8 +7575,8 @@ "log.original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:pvzPjqjqA6kLTjxiRDVSDxuidwg=", - "1:O1zDnt5d52xTreiMgL/sHMRHiXA=" + "1:O1zDnt5d52xTreiMgL/sHMRHiXA=", + "1:pvzPjqjqA6kLTjxiRDVSDxuidwg=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -7613,9 +7613,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7630,8 +7630,8 @@ "source.nat.port": 20661, "source.port": 53150, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7661,9 +7661,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7683,8 +7683,8 @@ "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:hu8p8gkxiimZqTLhIkgVfSePEqk=", - "1:CwNRTMQumfdoC3msd4z5PIYkKLU=" + "1:CwNRTMQumfdoC3msd4z5PIYkKLU=", + "1:hu8p8gkxiimZqTLhIkgVfSePEqk=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -7721,9 +7721,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7738,8 +7738,8 @@ "source.nat.port": 65438, "source.port": 53185, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7769,9 +7769,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7791,8 +7791,8 @@ "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:z12wzV1bKYppHPfC9LypWH+RtE4=", - "1:0YBp8myYbHSoKWG2HvxutMfose0=" + "1:0YBp8myYbHSoKWG2HvxutMfose0=", + "1:z12wzV1bKYppHPfC9LypWH+RtE4=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -7829,9 +7829,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7846,8 +7846,8 @@ "source.nat.port": 53101, "source.port": 53187, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7877,9 +7877,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -7899,8 +7899,8 @@ "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "network.application": "ssl", "network.community_id": [ - "1:eJYKKiIqzYxe5ja/6/hDB3CgzSI=", - "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=" + "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=", + "1:eJYKKiIqzYxe5ja/6/hDB3CgzSI=" ], "network.direction": "inbound", "network.transport": "tcp", @@ -7937,9 +7937,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7954,8 +7954,8 @@ "source.nat.port": 35463, "source.port": 53188, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", @@ -7985,9 +7985,9 @@ "destination.port": 443, "event.action": "url_filtering", "event.category": [ - "security_threat", "intrusion_detection", - "network" + "network", + "security_threat" ], "event.dataset": "panw.panos", "event.kind": "alert", @@ -8045,9 +8045,9 @@ "segment-data.zqtk.net" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.209.101.70", - "192.168.1.63" + "54.209.101.70" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -8062,8 +8062,8 @@ "source.nat.port": 45769, "source.port": 53178, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ], "url.domain": "segment-data.zqtk.net", "url.original": "segment-data.zqtk.net/", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 9d86fbf8e1b..0962a23e432 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -23,8 +23,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 586000000000, @@ -36,8 +36,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -47,8 +47,8 @@ "network.application": "apple-maps", "network.bytes": 7734, "network.community_id": [ - "1:MhgXJlTEvCKgoyqMC+Xo7qMVGqc=", - "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=" + "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=", + "1:MhgXJlTEvCKgoyqMC+Xo7qMVGqc=" ], "network.direction": "outbound", "network.packets": 36, @@ -85,9 +85,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.207", "184.51.253.152", - "192.168.1.63" + "192.168.1.63", + "192.168.15.207" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5976, @@ -105,8 +105,8 @@ "source.packets": 16, "source.port": 55113, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -133,8 +133,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -146,8 +146,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -157,8 +157,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "outbound", "network.packets": 12, @@ -195,9 +195,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -215,8 +215,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -246,8 +246,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -259,8 +259,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -308,9 +308,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.207", "17.253.3.202", - "192.168.1.63" + "192.168.1.63", + "192.168.15.207" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1035, @@ -328,8 +328,8 @@ "source.packets": 6, "source.port": 55114, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -356,8 +356,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -369,8 +369,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -380,8 +380,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "outbound", "network.packets": 12, @@ -418,9 +418,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -438,8 +438,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -469,8 +469,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -482,8 +482,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -531,9 +531,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.196", - "216.58.194.99", - "192.168.1.63" + "216.58.194.99" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1613, @@ -551,8 +551,8 @@ "source.packets": 5, "source.port": 46774, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -579,8 +579,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 85000000000, @@ -592,8 +592,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -641,9 +641,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "209.234.224.22", - "192.168.1.63" + "209.234.224.22" ], "rule.name": "new_outbound_from_trust", "server.bytes": 21111, @@ -661,8 +661,8 @@ "source.packets": 62, "source.port": 52408, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -689,8 +689,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -702,8 +702,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -713,8 +713,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "outbound", "network.packets": 12, @@ -751,9 +751,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -771,8 +771,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -799,8 +799,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 15000000000, @@ -812,8 +812,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -823,8 +823,8 @@ "network.application": "quic", "network.bytes": 7097, "network.community_id": [ - "1:q1tj6dPFkb+U8mUSdFp3CbUFXUk=", - "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=" + "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=", + "1:q1tj6dPFkb+U8mUSdFp3CbUFXUk=" ], "network.direction": "outbound", "network.packets": 16, @@ -861,9 +861,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "172.217.2.238", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 3732, @@ -881,8 +881,8 @@ "source.packets": 7, "source.port": 59190, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -909,8 +909,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -922,8 +922,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -971,9 +971,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.207", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 221, @@ -991,8 +991,8 @@ "source.packets": 1, "source.port": 49728, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1019,8 +1019,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1032,8 +1032,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1081,9 +1081,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.207", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 221, @@ -1101,8 +1101,8 @@ "source.packets": 1, "source.port": 50500, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1129,8 +1129,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 593000000000, @@ -1142,8 +1142,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1191,9 +1191,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.207", "17.249.60.78", - "192.168.1.63" + "192.168.1.63", + "192.168.15.207" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5469, @@ -1211,8 +1211,8 @@ "source.packets": 16, "source.port": 55112, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1239,8 +1239,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1252,8 +1252,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1301,9 +1301,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.207", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 224, @@ -1321,8 +1321,8 @@ "source.packets": 1, "source.port": 57632, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1349,8 +1349,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1362,8 +1362,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1411,9 +1411,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.207", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 117, @@ -1431,8 +1431,8 @@ "source.packets": 1, "source.port": 50271, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1459,8 +1459,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1472,8 +1472,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1483,8 +1483,8 @@ "network.application": "dns", "network.bytes": 392, "network.community_id": [ - "1:b+lWViOjpbOZConz3JzrSDR609Q=", - "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=" + "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=", + "1:b+lWViOjpbOZConz3JzrSDR609Q=" ], "network.direction": "outbound", "network.packets": 2, @@ -1521,9 +1521,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.207", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 307, @@ -1541,8 +1541,8 @@ "source.packets": 1, "source.port": 54061, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1569,8 +1569,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1582,8 +1582,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1631,9 +1631,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.207", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 365, @@ -1651,8 +1651,8 @@ "source.packets": 1, "source.port": 52701, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1679,8 +1679,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -1692,8 +1692,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1703,8 +1703,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "outbound", "network.packets": 12, @@ -1741,9 +1741,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -1761,8 +1761,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1789,8 +1789,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -1802,8 +1802,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1813,8 +1813,8 @@ "network.application": "dns", "network.bytes": 258, "network.community_id": [ - "1:Jof66SUOY3j4C+WrZwbgtKls1/Y=", - "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=" + "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=", + "1:Jof66SUOY3j4C+WrZwbgtKls1/Y=" ], "network.direction": "outbound", "network.packets": 2, @@ -1851,9 +1851,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 161, @@ -1871,8 +1871,8 @@ "source.packets": 1, "source.port": 62503, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -1899,8 +1899,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 17000000000, @@ -1912,8 +1912,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -1961,9 +1961,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "98.138.49.44", - "192.168.1.63" + "98.138.49.44" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7805, @@ -1981,8 +1981,8 @@ "source.packets": 14, "source.port": 52442, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2009,8 +2009,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 17000000000, @@ -2022,8 +2022,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2071,9 +2071,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "72.30.3.43", - "192.168.1.63" + "72.30.3.43" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6106, @@ -2091,8 +2091,8 @@ "source.packets": 13, "source.port": 52441, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2119,8 +2119,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2132,8 +2132,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2181,9 +2181,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.196", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 196, @@ -2201,8 +2201,8 @@ "source.packets": 2, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2229,8 +2229,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 116000000000, @@ -2242,8 +2242,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2291,9 +2291,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "172.217.9.142", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 3245, @@ -2311,8 +2311,8 @@ "source.packets": 19, "source.port": 52355, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2339,8 +2339,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2352,8 +2352,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -2363,8 +2363,8 @@ "network.application": "dns", "network.bytes": 261, "network.community_id": [ - "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc=", - "1:9T+RKr8xDB21pvAf/Fihyq72sLY=" + "1:9T+RKr8xDB21pvAf/Fihyq72sLY=", + "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc=" ], "network.direction": "outbound", "network.packets": 2, @@ -2401,9 +2401,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.207", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 179, @@ -2421,8 +2421,8 @@ "source.packets": 1, "source.port": 50196, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2452,8 +2452,8 @@ "destination.port": 443, "event.action": "flow_started", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2465,8 +2465,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "start", - "connection" + "connection", + "start" ], "fileset.name": "panos", "input.type": "log", @@ -2514,9 +2514,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.84.80.198", - "192.168.1.63" + "54.84.80.198" ], "rule.name": "new_outbound_from_trust", "server.bytes": 4537, @@ -2534,8 +2534,8 @@ "source.packets": 13, "source.port": 52454, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2563,8 +2563,8 @@ "destination.port": 4282, "event.action": "flow_dropped", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 13000000000, @@ -2576,8 +2576,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "panos", "input.type": "log", @@ -2587,8 +2587,8 @@ "network.application": "incomplete", "network.bytes": 624, "network.community_id": [ - "1:wFD93203ukPDpbZjVJE5SAMYrw4=", - "1:07q7McJtir76GhJwAJffz+C0sNo=" + "1:07q7McJtir76GhJwAJffz+C0sNo=", + "1:wFD93203ukPDpbZjVJE5SAMYrw4=" ], "network.direction": "outbound", "network.packets": 8, @@ -2625,9 +2625,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "199.167.55.52", - "192.168.1.63" + "199.167.55.52" ], "rule.name": "new_outbound_from_trust", "server.bytes": 0, @@ -2645,8 +2645,8 @@ "source.packets": 8, "source.port": 52445, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2673,8 +2673,8 @@ "destination.port": 0, "event.action": "flow_denied", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2686,8 +2686,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "panos", "input.type": "log", @@ -2697,8 +2697,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "outbound", "network.packets": 12, @@ -2735,9 +2735,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -2755,8 +2755,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2782,8 +2782,8 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -2804,8 +2804,8 @@ "network.application": "dns", "network.bytes": 215, "network.community_id": [ - "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA=", - "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=" + "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=", + "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA=" ], "network.direction": "outbound", "network.packets": 2, @@ -2841,9 +2841,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.210", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 130, @@ -2861,8 +2861,8 @@ "source.packets": 1, "source.port": 35485, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2888,8 +2888,8 @@ "destination.packets": 6, "destination.port": 443, "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 15000000000, @@ -2910,8 +2910,8 @@ "network.application": "quic", "network.bytes": 4867, "network.community_id": [ - "1:lVJii2BraOSOIissazAe7/enqkQ=", - "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=" + "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=", + "1:lVJii2BraOSOIissazAe7/enqkQ=" ], "network.direction": "outbound", "network.packets": 12, @@ -2948,9 +2948,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "172.217.9.142", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1991, @@ -2968,8 +2968,8 @@ "source.packets": 6, "source.port": 62730, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -2996,8 +2996,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3009,8 +3009,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3058,9 +3058,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "151.101.2.2", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 523, @@ -3078,8 +3078,8 @@ "source.packets": 8, "source.port": 52506, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3109,8 +3109,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3122,8 +3122,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3171,9 +3171,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "216.58.194.66", - "192.168.1.63" + "216.58.194.66" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2428, @@ -3191,8 +3191,8 @@ "source.packets": 5, "source.port": 60596, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3219,8 +3219,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3232,8 +3232,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3243,8 +3243,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "outbound", "network.packets": 12, @@ -3281,9 +3281,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -3301,8 +3301,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3329,8 +3329,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3342,8 +3342,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3391,9 +3391,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.210", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 196, @@ -3411,8 +3411,8 @@ "source.packets": 2, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3439,8 +3439,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3452,8 +3452,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3463,8 +3463,8 @@ "network.application": "ssl", "network.bytes": 7231, "network.community_id": [ - "1:zaX+BV1nxniPCPzIGKhVpm2i7CE=", - "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=" + "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=", + "1:zaX+BV1nxniPCPzIGKhVpm2i7CE=" ], "network.direction": "outbound", "network.packets": 22, @@ -3501,9 +3501,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "184.51.253.193", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5003, @@ -3521,8 +3521,8 @@ "source.packets": 12, "source.port": 52514, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3549,8 +3549,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3562,8 +3562,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3611,9 +3611,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 171, @@ -3631,8 +3631,8 @@ "source.packets": 1, "source.port": 55155, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3660,8 +3660,8 @@ "destination.port": 4282, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3673,8 +3673,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3684,8 +3684,8 @@ "network.application": "incomplete", "network.bytes": 78, "network.community_id": [ - "1:wFD93203ukPDpbZjVJE5SAMYrw4=", - "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=" + "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=", + "1:wFD93203ukPDpbZjVJE5SAMYrw4=" ], "network.direction": "outbound", "network.packets": 1, @@ -3722,9 +3722,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "199.167.55.52", - "192.168.1.63" + "199.167.55.52" ], "rule.name": "new_outbound_from_trust", "server.bytes": 0, @@ -3742,8 +3742,8 @@ "source.packets": 1, "source.port": 52445, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3773,8 +3773,8 @@ "destination.port": 17472, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -3786,8 +3786,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3835,9 +3835,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "199.167.52.219", - "192.168.1.63" + "199.167.52.219" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2316, @@ -3855,8 +3855,8 @@ "source.packets": 11, "source.port": 52516, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3886,8 +3886,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 4000000000, @@ -3899,8 +3899,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -3910,8 +3910,8 @@ "network.application": "ssl", "network.bytes": 16594, "network.community_id": [ - "1:lrruE+4dZreV0/+v9V1CpxRnfsE=", - "1:EG9O/WtvoWuYwaB1MXJTgr43kac=" + "1:EG9O/WtvoWuYwaB1MXJTgr43kac=", + "1:lrruE+4dZreV0/+v9V1CpxRnfsE=" ], "network.direction": "outbound", "network.packets": 38, @@ -3948,9 +3948,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.71.117.196", - "192.168.1.63" + "52.71.117.196" ], "rule.name": "new_outbound_from_trust", "server.bytes": 13966, @@ -3968,8 +3968,8 @@ "source.packets": 19, "source.port": 52511, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -3996,8 +3996,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4009,8 +4009,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4058,9 +4058,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 244, @@ -4078,8 +4078,8 @@ "source.packets": 1, "source.port": 3018, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4106,8 +4106,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4119,8 +4119,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4168,9 +4168,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 205, @@ -4188,8 +4188,8 @@ "source.packets": 1, "source.port": 16569, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4219,8 +4219,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 8000000000, @@ -4232,8 +4232,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4243,8 +4243,8 @@ "network.application": "ssl", "network.bytes": 6598, "network.community_id": [ - "1:oy06sQtSbOzvWgK/dr7N5HKE5Ng=", - "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=" + "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=", + "1:oy06sQtSbOzvWgK/dr7N5HKE5Ng=" ], "network.direction": "outbound", "network.packets": 44, @@ -4281,9 +4281,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "35.186.194.41", - "192.168.1.63" + "35.186.194.41" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2302, @@ -4301,8 +4301,8 @@ "source.packets": 24, "source.port": 52479, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4327,8 +4327,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 8000000000, @@ -4340,8 +4340,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4389,9 +4389,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "35.201.124.9", - "192.168.1.63" + "35.201.124.9" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6757, @@ -4409,8 +4409,8 @@ "source.packets": 63, "source.port": 52478, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4440,8 +4440,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 6000000000, @@ -4453,8 +4453,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4502,9 +4502,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "100.24.131.237", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 9007, @@ -4522,8 +4522,8 @@ "source.packets": 17, "source.port": 52502, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4550,8 +4550,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 13000000000, @@ -4563,8 +4563,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4574,8 +4574,8 @@ "network.application": "ssl", "network.bytes": 1761, "network.community_id": [ - "1:ZTCXYP/obCmlK+BT3BISstdxpCk=", - "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=" + "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=", + "1:ZTCXYP/obCmlK+BT3BISstdxpCk=" ], "network.direction": "outbound", "network.packets": 15, @@ -4612,9 +4612,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "184.51.252.247", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 661, @@ -4632,8 +4632,8 @@ "source.packets": 8, "source.port": 52458, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4663,8 +4663,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 8000000000, @@ -4676,8 +4676,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4725,9 +4725,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "35.190.88.148", - "192.168.1.63" + "35.190.88.148" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -4745,8 +4745,8 @@ "source.packets": 15, "source.port": 52484, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4776,8 +4776,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 8000000000, @@ -4789,8 +4789,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4800,8 +4800,8 @@ "network.application": "ssl", "network.bytes": 14732, "network.community_id": [ - "1:t/ErTuEXtgYIkRnq4+UdhVKcFnA=", - "1:Xx31zYZNYc/mjf2GOihkp6JogmA=" + "1:Xx31zYZNYc/mjf2GOihkp6JogmA=", + "1:t/ErTuEXtgYIkRnq4+UdhVKcFnA=" ], "network.direction": "outbound", "network.packets": 31, @@ -4838,9 +4838,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "35.186.243.83", - "192.168.1.63" + "35.186.243.83" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -4858,8 +4858,8 @@ "source.packets": 15, "source.port": 52482, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4886,8 +4886,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -4899,8 +4899,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -4910,8 +4910,8 @@ "network.application": "dns", "network.bytes": 266, "network.community_id": [ - "1:Y7iOj20be5Di4rx5iGHLO9k0YoU=", - "1:445AeHI1LAvb+ii4arRZeLAO4zM=" + "1:445AeHI1LAvb+ii4arRZeLAO4zM=", + "1:Y7iOj20be5Di4rx5iGHLO9k0YoU=" ], "network.direction": "external", "network.packets": 2, @@ -4948,9 +4948,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 182, @@ -4968,8 +4968,8 @@ "source.packets": 1, "source.port": 33769, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -4996,8 +4996,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5009,8 +5009,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5020,8 +5020,8 @@ "network.application": "dns", "network.bytes": 164, "network.community_id": [ - "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8=", - "1:+5KwsEYW+tFecEENSBwHbKTvUv8=" + "1:+5KwsEYW+tFecEENSBwHbKTvUv8=", + "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8=" ], "network.direction": "internal", "network.packets": 2, @@ -5058,9 +5058,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 90, @@ -5078,8 +5078,8 @@ "source.packets": 1, "source.port": 14106, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5109,8 +5109,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 6000000000, @@ -5122,8 +5122,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5133,8 +5133,8 @@ "network.application": "ssl", "network.bytes": 9400, "network.community_id": [ - "1:dDqHJ1Y91GSM0iyiXXbBnOasVJM=", - "1:DRqq/mx90TOYq1a5yLf562kwIvc=" + "1:DRqq/mx90TOYq1a5yLf562kwIvc=", + "1:dDqHJ1Y91GSM0iyiXXbBnOasVJM=" ], "network.direction": "inbound", "network.packets": 30, @@ -5171,9 +5171,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "100.24.165.74", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6669, @@ -5191,8 +5191,8 @@ "source.packets": 17, "source.port": 52503, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5219,8 +5219,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 13000000000, @@ -5232,8 +5232,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5281,9 +5281,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "184.51.252.247", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 661, @@ -5301,8 +5301,8 @@ "source.packets": 8, "source.port": 52459, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5327,8 +5327,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 8000000000, @@ -5340,8 +5340,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5389,9 +5389,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "35.201.94.140", - "192.168.1.63" + "35.201.94.140" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -5409,8 +5409,8 @@ "source.packets": 15, "source.port": 52483, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5437,8 +5437,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5450,8 +5450,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5461,8 +5461,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "unknown", "network.packets": 12, @@ -5495,9 +5495,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -5515,8 +5515,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5543,8 +5543,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5556,8 +5556,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5605,9 +5605,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 144, @@ -5625,8 +5625,8 @@ "source.packets": 1, "source.port": 38663, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5653,8 +5653,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5666,8 +5666,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5677,8 +5677,8 @@ "network.application": "dns", "network.bytes": 337, "network.community_id": [ - "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E=", - "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=" + "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=", + "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E=" ], "network.direction": "outbound", "network.packets": 2, @@ -5715,9 +5715,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 206, @@ -5735,8 +5735,8 @@ "source.packets": 1, "source.port": 50443, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5763,8 +5763,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5776,8 +5776,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5825,9 +5825,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 206, @@ -5845,8 +5845,8 @@ "source.packets": 1, "source.port": 54215, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5873,8 +5873,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5886,8 +5886,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -5935,9 +5935,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 169, @@ -5955,8 +5955,8 @@ "source.packets": 1, "source.port": 35827, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -5983,8 +5983,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -5996,8 +5996,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6045,9 +6045,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 132, @@ -6065,8 +6065,8 @@ "source.packets": 1, "source.port": 60609, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6093,8 +6093,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6106,8 +6106,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6117,8 +6117,8 @@ "network.application": "dns", "network.bytes": 206, "network.community_id": [ - "1:v2Rn2HMvdhM3B2CXYva9UePt+Og=", - "1:hsTAFtOdeb7+Ofe152B+9h69mbE=" + "1:hsTAFtOdeb7+Ofe152B+9h69mbE=", + "1:v2Rn2HMvdhM3B2CXYva9UePt+Og=" ], "network.direction": "outbound", "network.packets": 2, @@ -6155,9 +6155,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 127, @@ -6175,8 +6175,8 @@ "source.packets": 1, "source.port": 3248, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6203,8 +6203,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6216,8 +6216,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6227,8 +6227,8 @@ "network.application": "dns", "network.bytes": 194, "network.community_id": [ - "1:tO559KwdaAXfBh7HmZSLp9/JUJQ=", - "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=" + "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=", + "1:tO559KwdaAXfBh7HmZSLp9/JUJQ=" ], "network.direction": "outbound", "network.packets": 2, @@ -6265,9 +6265,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.196", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 105, @@ -6285,8 +6285,8 @@ "source.packets": 1, "source.port": 49284, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6313,8 +6313,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6326,8 +6326,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6375,9 +6375,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -6395,8 +6395,8 @@ "source.packets": 1, "source.port": 57732, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6423,8 +6423,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6436,8 +6436,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6447,8 +6447,8 @@ "network.application": "dns", "network.bytes": 212, "network.community_id": [ - "1:WgGQfntwYS3voQPhGfI/qhx0SVk=", - "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=" + "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=", + "1:WgGQfntwYS3voQPhGfI/qhx0SVk=" ], "network.direction": "outbound", "network.packets": 2, @@ -6485,9 +6485,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 134, @@ -6505,8 +6505,8 @@ "source.packets": 1, "source.port": 49195, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6533,8 +6533,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6546,8 +6546,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6595,9 +6595,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 179, @@ -6615,8 +6615,8 @@ "source.packets": 1, "source.port": 17266, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6643,8 +6643,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6656,8 +6656,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6705,9 +6705,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 218, @@ -6725,8 +6725,8 @@ "source.packets": 1, "source.port": 48631, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6753,8 +6753,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6766,8 +6766,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6815,9 +6815,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -6835,8 +6835,8 @@ "source.packets": 1, "source.port": 58540, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6863,8 +6863,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6876,8 +6876,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -6887,8 +6887,8 @@ "network.application": "dns", "network.bytes": 379, "network.community_id": [ - "1:dhAcAsMUxJrHfinQA5Q7eglS7T0=", - "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=" + "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=", + "1:dhAcAsMUxJrHfinQA5Q7eglS7T0=" ], "network.direction": "outbound", "network.packets": 2, @@ -6925,9 +6925,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 305, @@ -6945,8 +6945,8 @@ "source.packets": 1, "source.port": 42678, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -6976,8 +6976,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -6989,8 +6989,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7038,9 +7038,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "66.28.0.45", - "192.168.1.63" + "66.28.0.45" ], "rule.name": "new_outbound_from_trust", "server.bytes": 527, @@ -7058,8 +7058,8 @@ "source.packets": 1, "source.port": 16576, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7086,8 +7086,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7099,8 +7099,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7148,9 +7148,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 153, @@ -7168,8 +7168,8 @@ "source.packets": 1, "source.port": 39830, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7196,8 +7196,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7209,8 +7209,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7258,9 +7258,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 169, @@ -7278,8 +7278,8 @@ "source.packets": 1, "source.port": 6185, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7306,8 +7306,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7319,8 +7319,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7368,9 +7368,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 128, @@ -7388,8 +7388,8 @@ "source.packets": 1, "source.port": 8781, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7416,8 +7416,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7429,8 +7429,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7478,9 +7478,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 181, @@ -7498,8 +7498,8 @@ "source.packets": 1, "source.port": 16788, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7526,8 +7526,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7539,8 +7539,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7550,8 +7550,8 @@ "network.application": "dns", "network.bytes": 197, "network.community_id": [ - "1:eupsSNkv67+oInX/FQ2hHpUMyR8=", - "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=" + "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=", + "1:eupsSNkv67+oInX/FQ2hHpUMyR8=" ], "network.direction": "outbound", "network.packets": 2, @@ -7588,9 +7588,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 121, @@ -7608,8 +7608,8 @@ "source.packets": 1, "source.port": 45307, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7639,8 +7639,8 @@ "destination.port": 80, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7652,8 +7652,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7701,9 +7701,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "23.52.174.25", - "192.168.1.63" + "23.52.174.25" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1246, @@ -7721,8 +7721,8 @@ "source.packets": 6, "source.port": 52520, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7749,8 +7749,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 1000000000, @@ -7762,8 +7762,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7811,9 +7811,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 315, @@ -7831,8 +7831,8 @@ "source.packets": 1, "source.port": 8503, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7859,8 +7859,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -7872,8 +7872,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -7921,9 +7921,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 130, @@ -7941,8 +7941,8 @@ "source.packets": 1, "source.port": 6910, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -7972,8 +7972,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 12000000000, @@ -7985,8 +7985,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8034,9 +8034,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "54.230.5.228", - "192.168.1.63" + "54.230.5.228" ], "rule.name": "new_outbound_from_trust", "server.bytes": 288, @@ -8054,8 +8054,8 @@ "source.packets": 5, "source.port": 52475, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8082,8 +8082,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8095,8 +8095,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8106,8 +8106,8 @@ "network.application": "dns", "network.bytes": 225, "network.community_id": [ - "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I=", - "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=" + "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=", + "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I=" ], "network.direction": "outbound", "network.packets": 2, @@ -8144,9 +8144,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 149, @@ -8164,8 +8164,8 @@ "source.packets": 1, "source.port": 14342, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8192,8 +8192,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8205,8 +8205,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8216,8 +8216,8 @@ "network.application": "dns", "network.bytes": 273, "network.community_id": [ - "1:hwpLJFJeocCuki/uuS7DMUwYAcc=", - "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=" + "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=", + "1:hwpLJFJeocCuki/uuS7DMUwYAcc=" ], "network.direction": "outbound", "network.packets": 2, @@ -8254,9 +8254,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 202, @@ -8274,8 +8274,8 @@ "source.packets": 1, "source.port": 48197, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8302,8 +8302,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8315,8 +8315,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8326,8 +8326,8 @@ "network.application": "dns", "network.bytes": 270, "network.community_id": [ - "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw=", - "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=" + "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=", + "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw=" ], "network.direction": "outbound", "network.packets": 2, @@ -8364,9 +8364,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 195, @@ -8384,8 +8384,8 @@ "source.packets": 1, "source.port": 32296, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8412,8 +8412,8 @@ "destination.port": 123, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8425,8 +8425,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8436,8 +8436,8 @@ "network.application": "ntp", "network.bytes": 180, "network.community_id": [ - "1:zSTxlbsV3qi7ri6QQifUc6oMz/o=", - "1:OSARbLstqz9D5CGo0NQuv0a9g20=" + "1:OSARbLstqz9D5CGo0NQuv0a9g20=", + "1:zSTxlbsV3qi7ri6QQifUc6oMz/o=" ], "network.direction": "outbound", "network.packets": 2, @@ -8474,9 +8474,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.195", - "208.83.246.20", - "192.168.1.63" + "208.83.246.20" ], "rule.name": "new_outbound_from_trust", "server.bytes": 90, @@ -8494,8 +8494,8 @@ "source.packets": 1, "source.port": 33870, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8522,8 +8522,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8534,8 +8534,8 @@ "event.start": "2018-11-30T16:09:16.000-02:00", "event.timezone": "-02:00", "event.type": [ - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8545,8 +8545,8 @@ "network.application": "dns", "network.bytes": 340, "network.community_id": [ - "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0=", - "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=" + "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=", + "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0=" ], "network.direction": "outbound", "network.packets": 4, @@ -8583,9 +8583,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.196", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 192, @@ -8603,8 +8603,8 @@ "source.packets": 2, "source.port": 54659, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8631,8 +8631,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8643,8 +8643,8 @@ "event.start": "2018-11-30T16:09:16.000-02:00", "event.timezone": "-02:00", "event.type": [ - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8654,8 +8654,8 @@ "network.application": "dns", "network.bytes": 291, "network.community_id": [ - "1:wZXxVANJq0JID3j0Sh2o/qnIa7A=", - "1:uPFYX4KL/wjyCp4kt+08v7myT3w=" + "1:uPFYX4KL/wjyCp4kt+08v7myT3w=", + "1:wZXxVANJq0JID3j0Sh2o/qnIa7A=" ], "network.direction": "outbound", "network.packets": 2, @@ -8692,9 +8692,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 208, @@ -8712,8 +8712,8 @@ "source.packets": 1, "source.port": 57446, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8740,8 +8740,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8752,8 +8752,8 @@ "event.start": "2018-11-30T16:09:16.000-02:00", "event.timezone": "-02:00", "event.type": [ - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8801,9 +8801,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 100, @@ -8821,8 +8821,8 @@ "source.packets": 1, "source.port": 22655, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8851,8 +8851,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 10000000000, @@ -8863,8 +8863,8 @@ "event.start": "2018-11-30T16:09:21.000-02:00", "event.timezone": "-02:00", "event.type": [ - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8874,8 +8874,8 @@ "network.application": "ssl", "network.bytes": 9290, "network.community_id": [ - "1:WVDXvoZNkWqELBhlp2DzAjKS6V4=", - "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=" + "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=", + "1:WVDXvoZNkWqELBhlp2DzAjKS6V4=" ], "network.direction": "outbound", "network.packets": 24, @@ -8912,9 +8912,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "35.185.88.112", - "192.168.1.63" + "35.185.88.112" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7237, @@ -8932,8 +8932,8 @@ "source.packets": 13, "source.port": 52509, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -8960,8 +8960,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -8973,8 +8973,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -8984,8 +8984,8 @@ "network.application": "dns", "network.bytes": 202, "network.community_id": [ - "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo=", - "1:9Ub1pskil4C0tLo85OJa61g1D0Q=" + "1:9Ub1pskil4C0tLo85OJa61g1D0Q=", + "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo=" ], "network.direction": "outbound", "network.packets": 2, @@ -9022,9 +9022,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 109, @@ -9042,8 +9042,8 @@ "source.packets": 1, "source.port": 27192, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9070,8 +9070,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9083,8 +9083,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9132,9 +9132,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 116, @@ -9152,8 +9152,8 @@ "source.packets": 1, "source.port": 30221, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9180,8 +9180,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -9193,8 +9193,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9242,9 +9242,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 96, @@ -9262,8 +9262,8 @@ "source.packets": 1, "source.port": 30570, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9293,8 +9293,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 11000000000, @@ -9306,8 +9306,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9317,8 +9317,8 @@ "network.application": "ssl", "network.bytes": 1754, "network.community_id": [ - "1:wOhR5YstpLgnt5WE19sGYKCmyZU=", - "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=" + "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=", + "1:wOhR5YstpLgnt5WE19sGYKCmyZU=" ], "network.direction": "outbound", "network.packets": 15, @@ -9355,9 +9355,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "50.19.85.24", - "192.168.1.63" + "50.19.85.24" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9375,8 +9375,8 @@ "source.packets": 8, "source.port": 52497, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9406,8 +9406,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 11000000000, @@ -9419,8 +9419,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9468,9 +9468,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "50.19.85.24", - "192.168.1.63" + "50.19.85.24" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9488,8 +9488,8 @@ "source.packets": 8, "source.port": 52498, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9519,8 +9519,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 11000000000, @@ -9532,8 +9532,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9581,9 +9581,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "50.19.85.24", - "192.168.1.63" + "50.19.85.24" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9601,8 +9601,8 @@ "source.packets": 8, "source.port": 52496, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9629,8 +9629,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 11000000000, @@ -9642,8 +9642,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9653,8 +9653,8 @@ "network.application": "ssl", "network.bytes": 10511, "network.community_id": [ - "1:xYiSF9gJFyCzwbXQPyFt8YU2J78=", - "1:aHhDlT3Bx285CJRrBykpRsei1a0=" + "1:aHhDlT3Bx285CJRrBykpRsei1a0=", + "1:xYiSF9gJFyCzwbXQPyFt8YU2J78=" ], "network.direction": "outbound", "network.packets": 22, @@ -9691,9 +9691,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "104.254.150.9", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7820, @@ -9711,8 +9711,8 @@ "source.packets": 12, "source.port": 52510, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9742,8 +9742,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 11000000000, @@ -9755,8 +9755,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9804,9 +9804,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "50.19.85.24", - "192.168.1.63" + "50.19.85.24" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9824,8 +9824,8 @@ "source.packets": 8, "source.port": 52495, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9855,8 +9855,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 12000000000, @@ -9868,8 +9868,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9879,8 +9879,8 @@ "network.application": "incomplete", "network.bytes": 490, "network.community_id": [ - "1:pRGS72RJ+/RdCMjmtcrBxdR6i9w=", - "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=" + "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=", + "1:pRGS72RJ+/RdCMjmtcrBxdR6i9w=" ], "network.direction": "outbound", "network.packets": 7, @@ -9917,9 +9917,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.0.218.108", - "192.168.1.63" + "52.0.218.108" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -9937,8 +9937,8 @@ "source.packets": 4, "source.port": 52486, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -9968,8 +9968,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 12000000000, @@ -9981,8 +9981,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -9992,8 +9992,8 @@ "network.application": "incomplete", "network.bytes": 490, "network.community_id": [ - "1:zaENYnP2VlZewYNuHhpqTvNAf4Y=", - "1:486dmnLzuTH8P7j6jI6JsUtW2VU=" + "1:486dmnLzuTH8P7j6jI6JsUtW2VU=", + "1:zaENYnP2VlZewYNuHhpqTvNAf4Y=" ], "network.direction": "outbound", "network.packets": 7, @@ -10030,9 +10030,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "52.6.117.19", - "192.168.1.63" + "52.6.117.19" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10050,8 +10050,8 @@ "source.packets": 4, "source.port": 52489, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10081,8 +10081,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 12000000000, @@ -10094,8 +10094,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10105,8 +10105,8 @@ "network.application": "incomplete", "network.bytes": 490, "network.community_id": [ - "1:FdupsUbF1ju1djczW9JAKlxKNC4=", - "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=" + "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=", + "1:FdupsUbF1ju1djczW9JAKlxKNC4=" ], "network.direction": "outbound", "network.packets": 7, @@ -10143,9 +10143,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "34.238.96.22", - "192.168.1.63" + "34.238.96.22" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10163,8 +10163,8 @@ "source.packets": 4, "source.port": 52490, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10194,8 +10194,8 @@ "destination.port": 443, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 12000000000, @@ -10207,8 +10207,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10256,9 +10256,9 @@ "PA-220" ], "related.ip": [ - "192.168.15.224", "130.211.47.17", - "192.168.1.63" + "192.168.1.63", + "192.168.15.224" ], "rule.name": "new_outbound_from_trust", "server.bytes": 280, @@ -10276,8 +10276,8 @@ "source.packets": 4, "source.port": 52493, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10304,8 +10304,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10317,8 +10317,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10328,8 +10328,8 @@ "network.application": "dns", "network.bytes": 269, "network.community_id": [ - "1:n/IZF37E/7cErtK4po3ewuEQScY=", - "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=" + "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=", + "1:n/IZF37E/7cErtK4po3ewuEQScY=" ], "network.direction": "outbound", "network.packets": 2, @@ -10366,9 +10366,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -10386,8 +10386,8 @@ "source.packets": 1, "source.port": 59320, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10414,8 +10414,8 @@ "destination.port": 0, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10427,8 +10427,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10438,8 +10438,8 @@ "network.application": "ping", "network.bytes": 1176, "network.community_id": [ - "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", - "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=" ], "network.direction": "outbound", "network.packets": 12, @@ -10476,9 +10476,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -10496,8 +10496,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10524,8 +10524,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10537,8 +10537,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10586,9 +10586,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -10606,8 +10606,8 @@ "source.packets": 1, "source.port": 13076, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10634,8 +10634,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10647,8 +10647,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10658,8 +10658,8 @@ "network.application": "dns", "network.bytes": 242, "network.community_id": [ - "1:mci4o+GZJDLvZr11UdJH9bepPqU=", - "1:+zC2Y+UE7UqApr01oqb755Xyuf4=" + "1:+zC2Y+UE7UqApr01oqb755Xyuf4=", + "1:mci4o+GZJDLvZr11UdJH9bepPqU=" ], "network.direction": "outbound", "network.packets": 2, @@ -10696,9 +10696,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 170, @@ -10716,8 +10716,8 @@ "source.packets": 1, "source.port": 5511, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10744,8 +10744,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10757,8 +10757,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10806,9 +10806,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -10826,8 +10826,8 @@ "source.packets": 1, "source.port": 9799, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10854,8 +10854,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10867,8 +10867,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -10916,9 +10916,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -10936,8 +10936,8 @@ "source.packets": 1, "source.port": 39169, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] }, { @@ -10964,8 +10964,8 @@ "destination.port": 53, "event.action": "flow_terminated", "event.category": [ - "network_traffic", - "network" + "network", + "network_traffic" ], "event.dataset": "panw.panos", "event.duration": 0, @@ -10977,8 +10977,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "fileset.name": "panos", "input.type": "log", @@ -11026,9 +11026,9 @@ "PA-220" ], "related.ip": [ + "192.168.1.63", "192.168.15.224", - "8.8.8.8", - "192.168.1.63" + "8.8.8.8" ], "rule.name": "new_outbound_from_trust", "server.bytes": 166, @@ -11046,8 +11046,8 @@ "source.packets": 1, "source.port": 42476, "tags": [ - "pan-os", - "forwarded" + "forwarded", + "pan-os" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json new file mode 100644 index 00000000000..74eff0b69b6 --- /dev/null +++ b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json @@ -0,0 +1,754 @@ +[ + { + "@timestamp": "2021-03-24T11:00:49.000-02:00", + "client.ip": "10.50.35.36", + "client.port": 0, + "client.user.name": "john.smith", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 0, + "log.original": "1,2021/03/24 11:00:49,013101001305,USERID,login,2305,2021/03/24 11:00:49,vsys1,10.50.35.36,domain\\john.smith,,0,1,10800,0,0,,,1252774,0x0,0,0,0,0,,FW01,1,,2021/03/24 11:00:49,1,0x80000000,john.smith", + "network.type": "ipv4", + "observer.hostname": "FW01", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "", + "panw.panos.datasourcetype": "", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-03-24T11:00:49.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1252774, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "FW01" + ], + "related.ip": [ + "10.50.35.36" + ], + "related.user": [ + "john.smith" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.50.35.36", + "source.ip": "10.50.35.36", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "john.smith", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "domain", + "user.name": "john.smith" + }, + { + "@timestamp": "2021-03-24T10:59:45.000-02:00", + "client.ip": "10.55.18.7", + "client.port": 0, + "client.user.name": "john.smith", + "destination.port": 0, + "event.action": "logout", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 240, + "log.original": "1,2021/03/24 10:59:45,013101001305,USERID,logout,2305,2021/03/24 10:59:45,vsys1,10.55.18.7,domain\\john.smith,,0,1,0,0,0,,,1252765,0x0,0,0,0,0,,FW01,1,,2021/03/24 10:59:45,1,0x80000000,john.smith", + "network.type": "ipv4", + "observer.hostname": "FW01", + "observer.product": "PAN-OS", + "observer.serial_number": "013101001305", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "", + "panw.panos.datasourcetype": "", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-03-24T10:59:45.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1252765, + "panw.panos.sub_type": "logout", + "panw.panos.timeout": 0, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "FW01" + ], + "related.ip": [ + "10.55.18.7" + ], + "related.user": [ + "john.smith" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.55.18.7", + "source.ip": "10.55.18.7", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "john.smith", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "domain", + "user.name": "john.smith" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 476, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,1,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 642, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,2,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 2, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 808, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,3,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 3, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2013-03-28T12:53:05.000-02:00", + "client.ip": "172.17.128.92", + "client.port": 0, + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 974, + "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,4,0x0", + "network.type": "ipv4", + "observer.product": "PAN-OS", + "observer.serial_number": "001701000225", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "active-directory", + "panw.panos.datasourcename": "test", + "panw.panos.datasourcetype": "unknown", + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 4, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 2700, + "panw.panos.type": "USERID", + "panw.panos.virtual_sys": "vsys1", + "related.ip": [ + "172.17.128.92" + ], + "related.user": [ + "administrator" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "172.17.128.92", + "source.ip": "172.17.128.92", + "source.port": 0, + "source.user.domain": "plano2008r2", + "source.user.name": "administrator", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "plano2008r2", + "user.name": "administrator" + }, + { + "@timestamp": "2021-04-05T14:52:16.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1140, + "log.original": "1,2021/04/05 14:52:16,,USERID,login,2305,2021/04/05 14:52:16,vsys1,10.68.2.9,domain\\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277996,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:16,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:52:16.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277996, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "admin", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "domain", + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:52:33.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "logout", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1356, + "log.original": "1,2021/04/05 14:52:33,,USERID,logout,2305,2021/04/05 14:52:33,vsys1,10.68.2.9,domain\\admin,,0,1,0,0,0,vpn-client,globalprotect,1277997,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:34,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:52:34.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277997, + "panw.panos.sub_type": "logout", + "panw.panos.timeout": 0, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "admin", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "domain", + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:10.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1569, + "log.original": "1,2021/04/05 14:53:10,,USERID,login,2305,2021/04/05 14:53:10,vsys1,10.68.2.9,subdomain\\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277998,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:11,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:11.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277998, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "subdomain", + "source.user.name": "admin", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "subdomain", + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:31.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1788, + "log.original": "1,2021/04/05 14:53:31,,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1277999,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:31.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1277999, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.name": "admin", + "tags": [ + "forwarded", + "pan-os" + ], + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:31.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "user", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 1997, + "log.original": "1,2021/04/05 14:53:31,,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,user,,0,1,10800,0,0,vpn-client,globalprotect,1278000,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,user", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:31.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1278000, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "user" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.name": "user", + "tags": [ + "forwarded", + "pan-os" + ], + "user.name": "user" + }, + { + "@timestamp": "2021-04-05T14:53:49.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "login", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 2204, + "log.original": "1,2021/04/05 14:53:49,,USERID,login,2305,2021/04/05 14:53:49,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1278001,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:49,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:49.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1278001, + "panw.panos.sub_type": "login", + "panw.panos.timeout": 10800, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.name": "admin", + "tags": [ + "forwarded", + "pan-os" + ], + "user.name": "admin" + }, + { + "@timestamp": "2021-04-05T14:53:52.000-02:00", + "client.ip": "10.68.2.9", + "client.port": 0, + "client.user.name": "admin", + "destination.port": 0, + "event.action": "logout", + "event.code": "0", + "event.dataset": "panw.panos", + "event.module": "panw", + "event.outcome": "success", + "event.timezone": "-02:00", + "fileset.name": "panos", + "input.type": "log", + "log.offset": 2413, + "log.original": "1,2021/04/05 14:53:52,,USERID,logout,2305,2021/04/05 14:53:52,vsys1,10.68.2.9,domain\\admin,,0,1,0,0,0,vpn-client,globalprotect,1278002,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:52,1,0x80000000,admin", + "network.type": "ipv4", + "observer.hostname": "CORE-FW", + "observer.product": "PAN-OS", + "observer.serial_number": "", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", + "panw.panos.actionflags": "0x0", + "panw.panos.datasource": "vpn-client", + "panw.panos.datasourcetype": "globalprotect", + "panw.panos.device_group_hierarchy.level_1": "0", + "panw.panos.device_group_hierarchy.level_2": "0", + "panw.panos.device_group_hierarchy.level_3": "0", + "panw.panos.device_group_hierarchy.level_4": "0", + "panw.panos.factorcompletiontime": "2021-04-05T14:53:52.000-02:00", + "panw.panos.factorno": 1, + "panw.panos.repeatcnt": 1, + "panw.panos.sequence_number": 1278002, + "panw.panos.sub_type": "logout", + "panw.panos.timeout": 0, + "panw.panos.type": "USERID", + "panw.panos.ugflags": "0x80000000", + "panw.panos.virtual_sys": "vsys1", + "panw.panos.vsys_id": "1", + "related.hosts": [ + "CORE-FW" + ], + "related.ip": [ + "10.68.2.9" + ], + "related.user": [ + "admin" + ], + "server.port": 0, + "service.type": "panw", + "source.address": "10.68.2.9", + "source.ip": "10.68.2.9", + "source.port": 0, + "source.user.domain": "domain", + "source.user.name": "admin", + "tags": [ + "forwarded", + "pan-os" + ], + "user.domain": "domain", + "user.name": "admin" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json index d29937f64d9..925a66b164d 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json @@ -20,8 +20,8 @@ "rsa.time.duration_str": "sse", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -50,8 +50,8 @@ "rule.name": "mquia", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -70,8 +70,8 @@ "rsa.misc.msgIdPart2": "nse", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -105,8 +105,8 @@ "rsa.network.host_dst": "tenbyCic5882.api.home", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -130,8 +130,8 @@ "rsa.time.duration_str": "toccae", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -154,8 +154,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -184,8 +184,8 @@ "10.89.185.38" ], "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -208,8 +208,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -234,8 +234,8 @@ "rule.name": "fugi", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -263,8 +263,8 @@ "rsa.network.host_dst": "ommod3671.mail.domain", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -283,8 +283,8 @@ "rsa.misc.msgIdPart2": "eataev", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -311,8 +311,8 @@ "rule.name": "tem", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -332,8 +332,8 @@ "rsa.misc.severity": "err", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -354,8 +354,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -377,8 +377,8 @@ "rsa.misc.severity": "warn", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -397,8 +397,8 @@ "rsa.misc.msgIdPart2": "sectetur", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -419,8 +419,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -443,8 +443,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -469,8 +469,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -497,8 +497,8 @@ "rsa.network.host_dst": "ersp3536.www5.lan", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -524,8 +524,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -548,8 +548,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -577,8 +577,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -606,8 +606,8 @@ "rsa.misc.version": "1.5020", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -631,8 +631,8 @@ "rule.name": "uamei", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -658,8 +658,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -689,8 +689,8 @@ "rsa.network.host_dst": "sit6590.lan", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -713,8 +713,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -737,8 +737,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -765,8 +765,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -793,8 +793,8 @@ "rule.name": "remagn", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -817,8 +817,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -846,8 +846,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -872,8 +872,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -901,8 +901,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -930,8 +930,8 @@ "rsa.misc.severity": "note", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -962,8 +962,8 @@ "rule.name": "umetMal", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -984,8 +984,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1010,8 +1010,8 @@ "rule.name": "irured", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1037,8 +1037,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1059,8 +1059,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1084,8 +1084,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1106,8 +1106,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1126,8 +1126,8 @@ "rsa.misc.msgIdPart2": "litan", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1153,8 +1153,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1174,8 +1174,8 @@ "rsa.misc.client": "queued-reinject", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1201,8 +1201,8 @@ "rsa.time.duration_str": "mip", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1230,8 +1230,8 @@ "rule.name": "equuntur", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1257,8 +1257,8 @@ "rule.name": "ugitsedq", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1291,8 +1291,8 @@ ], "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1313,8 +1313,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1342,8 +1342,8 @@ "rsa.misc.result_code": "atur", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1371,8 +1371,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1393,8 +1393,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1421,8 +1421,8 @@ "rsa.web.reputation_num": 25.933, "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1448,8 +1448,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1472,8 +1472,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1507,8 +1507,8 @@ "rsa.network.host_dst": "str4641.domain", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1536,8 +1536,8 @@ "rule.name": "iaecon", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1562,8 +1562,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1584,8 +1584,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1613,8 +1613,8 @@ "rsa.misc.result_code": "quioff", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1634,8 +1634,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1657,8 +1657,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1686,8 +1686,8 @@ "rule.name": "taevi", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1714,8 +1714,8 @@ "rule.name": "etMa", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1736,8 +1736,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1759,8 +1759,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1780,8 +1780,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1800,8 +1800,8 @@ "rsa.misc.msgIdPart2": "tassitas", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1822,8 +1822,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1850,8 +1850,8 @@ "10.27.154.247" ], "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1872,8 +1872,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1901,8 +1901,8 @@ "rule.name": "leumiur", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1927,8 +1927,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1950,8 +1950,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -1973,8 +1973,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2016,8 +2016,8 @@ "rule.name": "aea", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2045,8 +2045,8 @@ "rsa.misc.result_code": "onpr", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2072,8 +2072,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2101,8 +2101,8 @@ "rsa.misc.result_code": "estq", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2123,8 +2123,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2152,8 +2152,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2176,8 +2176,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2198,8 +2198,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2223,8 +2223,8 @@ "rsa.misc.severity": "very-high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2249,8 +2249,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2269,8 +2269,8 @@ "rsa.misc.msgIdPart2": "itse", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2291,8 +2291,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2311,8 +2311,8 @@ "rsa.misc.msgIdPart2": "umexe", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2337,8 +2337,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2364,8 +2364,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2387,8 +2387,8 @@ "rsa.misc.severity": "low", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2415,8 +2415,8 @@ "10.199.46.88" ], "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2450,8 +2450,8 @@ "rsa.network.host_dst": "Sedutper7794.www5.domain", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2471,8 +2471,8 @@ "rsa.misc.severity": "medium", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2497,8 +2497,8 @@ "rsa.misc.severity": "info", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2525,8 +2525,8 @@ "10.38.111.125" ], "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2549,8 +2549,8 @@ "rsa.misc.severity": "high", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] }, { @@ -2574,8 +2574,8 @@ "rsa.network.host_dst": "estla4081.corp", "service.type": "proofpoint", "tags": [ - "proofpoint.emailsecurity", - "forwarded" + "forwarded", + "proofpoint.emailsecurity" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index 1c42e298457..891cd4c32de 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -13,8 +13,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.hosts": [ - "veri", - "quid2184.invalid" + "quid2184.invalid", + "veri" ], "related.ip": [ "10.202.72.124" @@ -32,8 +32,8 @@ "rsa.time.month": "Jan", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -62,8 +62,8 @@ "uptatev4292.www.invalid" ], "related.ip": [ - "10.38.77.13", - "10.212.11.114" + "10.212.11.114", + "10.38.77.13" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uam", @@ -89,8 +89,8 @@ ], "source.port": 3971, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -119,8 +119,8 @@ "rsa.time.month": "Feb", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -149,8 +149,8 @@ "rsa.time.month": "Mar", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -182,8 +182,8 @@ "rsa.time.month": "Mar", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "aaliquaU" }, @@ -240,8 +240,8 @@ ], "source.port": 4478, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -272,8 +272,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "temqu" }, @@ -306,8 +306,8 @@ "rsa.time.month": "May", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "oluptate" }, @@ -361,8 +361,8 @@ "10.110.31.190" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -391,8 +391,8 @@ "rsa.time.month": "Jun", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -427,8 +427,8 @@ "rsa.time.month": "Jun", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "isetquas" }, @@ -458,8 +458,8 @@ "rsa.time.month": "Jul", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -491,8 +491,8 @@ "rsa.time.month": "Jul", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "aparia" }, @@ -522,8 +522,8 @@ "rsa.time.month": "Aug", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -555,8 +555,8 @@ "rsa.time.month": "Aug", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "inrepreh" }, @@ -586,8 +586,8 @@ "rsa.time.month": "Aug", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -619,8 +619,8 @@ "rsa.time.month": "Sep", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "uptat" }, @@ -656,8 +656,8 @@ "rsa.time.duration_time": 56.481, "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -674,8 +674,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.hosts": [ - "nula", - "exercita2068.api.invalid" + "exercita2068.api.invalid", + "nula" ], "related.ip": [ "10.169.84.140" @@ -693,8 +693,8 @@ "rsa.time.month": "Oct", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -730,8 +730,8 @@ "rsa.time.month": "Oct", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -766,8 +766,8 @@ "rsa.time.duration_time": 115.011, "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -802,8 +802,8 @@ "rsa.time.month": "Nov", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "smodtem" }, @@ -856,8 +856,8 @@ ], "source.port": 7119, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -913,8 +913,8 @@ ], "source.port": 3015, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -943,8 +943,8 @@ "rsa.time.month": "Jan", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -983,8 +983,8 @@ "10.165.33.19" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1009,8 +1009,8 @@ "unturmag6190.api.lan" ], "related.ip": [ - "10.52.190.18", - "10.238.223.171" + "10.238.223.171", + "10.52.190.18" ], "rsa.crypto.sig_type": "Finibus", "rsa.internal.messageid": "16539", @@ -1035,8 +1035,8 @@ ], "source.port": 4411, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1062,8 +1062,8 @@ "conseq6079.www.corp" ], "related.ip": [ - "10.68.233.163", - "10.160.178.109" + "10.160.178.109", + "10.68.233.163" ], "rsa.crypto.sig_type": "ctobeat", "rsa.internal.messageid": "26992", @@ -1088,8 +1088,8 @@ "10.68.233.163" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1125,8 +1125,8 @@ "rsa.time.month": "Mar", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1156,8 +1156,8 @@ "rsa.time.month": "Mar", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "serro" }, @@ -1187,8 +1187,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1239,8 +1239,8 @@ "10.116.175.84" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1271,8 +1271,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "estq" }, @@ -1305,8 +1305,8 @@ "rsa.time.month": "May", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "deriti" }, @@ -1339,8 +1339,8 @@ "rsa.time.month": "May", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1372,8 +1372,8 @@ "rsa.time.month": "Jun", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "epteurs" }, @@ -1405,8 +1405,8 @@ "rsa.time.month": "Jun", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "ction" }, @@ -1436,8 +1436,8 @@ "rsa.time.month": "Jul", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1469,8 +1469,8 @@ "rsa.time.month": "Jul", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "trude" }, @@ -1527,8 +1527,8 @@ ], "source.port": 2998, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1557,8 +1557,8 @@ "rsa.time.month": "Aug", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1587,8 +1587,8 @@ "rsa.time.month": "Sep", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1617,8 +1617,8 @@ "rsa.time.month": "Sep", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1674,8 +1674,8 @@ ], "source.port": 1801, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1706,8 +1706,8 @@ "rsa.time.month": "Oct", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "mnisis" }, @@ -1760,8 +1760,8 @@ "10.198.44.231" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1790,8 +1790,8 @@ "evita850.localdomain" ], "related.ip": [ - "10.77.86.215", - "10.144.162.122" + "10.144.162.122", + "10.77.86.215" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "eav", @@ -1817,8 +1817,8 @@ ], "source.port": 5913, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1849,8 +1849,8 @@ "rsa.time.month": "Dec", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "sci" }, @@ -1886,8 +1886,8 @@ "rsa.time.duration_time": 95.196, "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1916,8 +1916,8 @@ "rsa.time.month": "Dec", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -1948,8 +1948,8 @@ "rsa.time.month": "Jan", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "mwrit" }, @@ -1985,8 +1985,8 @@ "rsa.time.duration_time": 63.677, "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2018,8 +2018,8 @@ "rsa.time.month": "Feb", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "uaturvel" }, @@ -2056,8 +2056,8 @@ "rsa.time.month": "Feb", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2089,8 +2089,8 @@ "rsa.time.month": "Mar", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "pers" }, @@ -2118,8 +2118,8 @@ "uovol2459.www5.invalid" ], "related.ip": [ - "10.60.137.215", - "10.28.105.106" + "10.28.105.106", + "10.60.137.215" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2143,8 +2143,8 @@ "10.28.105.106" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2173,8 +2173,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2206,8 +2206,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2236,8 +2236,13 @@ "related.ip": [ "10.166.40.137", "10.20.167.114", +<<<<<<< HEAD "10.65.144.119", "10.49.190.163" +======= + "10.49.190.163", + "10.65.144.119" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", "rsa.internal.messageid": "FTD_events", @@ -2258,8 +2263,8 @@ "source.nat.port": 6233, "source.port": 5279, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2298,8 +2303,8 @@ "10.104.78.147" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2321,8 +2326,8 @@ "emulla6625.www5.corp" ], "related.ip": [ - "10.82.180.46", - "10.237.43.87" + "10.237.43.87", + "10.82.180.46" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "oloremqu", @@ -2338,8 +2343,8 @@ "10.237.43.87" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2366,8 +2371,8 @@ "magn3657.api.invalid" ], "related.ip": [ - "10.234.234.205", - "10.180.28.156" + "10.180.28.156", + "10.234.234.205" ], "rsa.crypto.sig_type": "mnihil", "rsa.internal.messageid": "5315", @@ -2394,8 +2399,8 @@ ], "source.port": 5714, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2424,8 +2429,8 @@ "rsa.time.month": "Jul", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2454,8 +2459,8 @@ "upta788.invalid" ], "related.ip": [ - "10.40.250.209", - "10.166.10.187" + "10.166.10.187", + "10.40.250.209" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-temUte", @@ -2481,8 +2486,8 @@ ], "source.port": 3941, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2514,8 +2519,8 @@ "rsa.time.month": "Aug", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2537,8 +2542,8 @@ "ita7851.localhost" ], "related.ip": [ - "10.78.180.219", - "10.198.202.72" + "10.198.202.72", + "10.78.180.219" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "equaturv", @@ -2554,8 +2559,8 @@ "10.198.202.72" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2610,8 +2615,8 @@ "10.147.155.100" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2664,8 +2669,8 @@ ], "source.port": 3210, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2696,8 +2701,8 @@ "rsa.time.month": "Sep", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "antiu" }, @@ -2730,8 +2735,8 @@ "rsa.time.month": "Oct", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "lors" }, @@ -2767,8 +2772,8 @@ "rsa.time.duration_time": 116.537, "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2807,8 +2812,8 @@ "10.224.250.83" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2861,8 +2866,8 @@ ], "source.port": 653, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2918,8 +2923,8 @@ ], "source.port": 3760, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -2950,8 +2955,8 @@ "rsa.time.month": "Dec", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "agnaal" }, @@ -2984,8 +2989,8 @@ "rsa.time.month": "Jan", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "ita" }, @@ -3018,8 +3023,8 @@ "rsa.time.month": "Jan", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3075,8 +3080,8 @@ ], "source.port": 703, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3105,8 +3110,8 @@ "rsa.time.month": "Feb", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3138,8 +3143,8 @@ "rsa.time.month": "Mar", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "iscing" }, @@ -3165,8 +3170,8 @@ "onsecte5119.www.invalid" ], "related.ip": [ - "10.5.88.183", - "10.198.207.31" + "10.198.207.31", + "10.5.88.183" ], "rsa.internal.event_desc": "Failed to locate egress interface", "rsa.internal.messageid": "FTD_events", @@ -3183,8 +3188,8 @@ ], "source.port": 579, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3216,8 +3221,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "ect" }, @@ -3249,8 +3254,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "issu" }, @@ -3283,8 +3288,8 @@ "rsa.time.month": "Apr", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "aria" }, @@ -3317,8 +3322,8 @@ "rsa.time.month": "May", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "mape" }, @@ -3354,8 +3359,8 @@ "rsa.time.duration_time": 141.678, "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3390,8 +3395,8 @@ "rsa.time.duration_time": 159.885, "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3447,8 +3452,8 @@ ], "source.port": 2632, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3504,8 +3509,8 @@ ], "source.port": 1832, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3534,8 +3539,8 @@ "rsa.time.month": "Jul", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3567,8 +3572,8 @@ "rsa.time.month": "Aug", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "radip" }, @@ -3598,8 +3603,8 @@ "rsa.time.month": "Aug", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3634,8 +3639,8 @@ "rsa.time.month": "Sep", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "uptate" }, @@ -3675,8 +3680,8 @@ "10.14.46.141" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3711,8 +3716,8 @@ "rsa.time.month": "Oct", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "deFinibu" }, @@ -3745,8 +3750,8 @@ "rsa.time.month": "Oct", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "emp" }, @@ -3776,8 +3781,8 @@ "rsa.time.month": "Nov", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3812,8 +3817,8 @@ "rsa.time.month": "Nov", "service.type": "snort", "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ], "user.name": "ctobea" }, @@ -3865,8 +3870,8 @@ "source.nat.port": 135, "source.port": 6154, "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] }, { @@ -3905,8 +3910,8 @@ "10.188.88.133" ], "tags": [ - "snort.log", - "forwarded" + "forwarded", + "snort.log" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/snyk/audit/test/snyk_audit.ndjson.log-expected.json b/x-pack/filebeat/module/snyk/audit/test/snyk_audit.ndjson.log-expected.json index b1b637d762f..90f8267c5cb 100644 --- a/x-pack/filebeat/module/snyk/audit/test/snyk_audit.ndjson.log-expected.json +++ b/x-pack/filebeat/module/snyk/audit/test/snyk_audit.ndjson.log-expected.json @@ -12,8 +12,8 @@ "snyk.audit.content.sessionPublicId": "sessionId123-t34123-sdfa234-asd", "snyk.audit.org_id": "orgid123test-5643asd234-asdfasdf", "tags": [ - "snyk-audit", - "forwarded" + "forwarded", + "snyk-audit" ], "user.group.id": "groupid123test-543123-54312sadf-123ad", "user.id": "userid123test-234sdfa2-423sdfa-2134" @@ -31,8 +31,8 @@ "snyk.audit.content.url": "/api/v1/org/orgid123test-5643asd234-asdfasdf/projects", "snyk.audit.org_id": "orgid123test-5643asd234-asdfasdf", "tags": [ - "snyk-audit", - "forwarded" + "forwarded", + "snyk-audit" ], "user.group.id": "groupid123test-543123-54312sadf-123ad", "user.id": "userid123test-234sdfa2-423sdfa-2134" @@ -51,8 +51,8 @@ "snyk.audit.content.isAdmin": false, "snyk.audit.org_id": "orgid123test-5643asd234-asdfasdf", "tags": [ - "snyk-audit", - "forwarded" + "forwarded", + "snyk-audit" ], "user.group.id": "groupid123test-543123-54312sadf-123ad", "user.id": "userid123test-234sdfa2-423sdfa-2134" @@ -72,8 +72,8 @@ "snyk.audit.content.userPublicId": "userid123test-234sdfa2-423sdfa-2134", "snyk.audit.org_id": "orgid123test-5643asd234-asdfasdf", "tags": [ - "snyk-audit", - "forwarded" + "forwarded", + "snyk-audit" ], "user.group.id": "groupid123test-543123-54312sadf-123ad", "user.id": "userid123test-234sdfa2-423sdfa-2134" diff --git a/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json b/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json index 12d7f878245..460337518c1 100644 --- a/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json +++ b/x-pack/filebeat/module/snyk/vulnerabilities/test/snyk_vulns.ndjson.log-expected.json @@ -11,33 +11,33 @@ "snyk.projects": [ { "id": "projectid", - "name": "username/reponame", + "name": "someotheruser/someotherreponame", "packageManager": "npm", "source": "github", - "targetFile": "package.json", + "targetFile": "folder1/package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "someotheruser/someotherreponame", + "name": "projectname", "packageManager": "npm", - "source": "github", - "targetFile": "folder1/package.json", + "source": "cli", + "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "projectname", + "name": "username/reponame", "packageManager": "npm", - "source": "cli", + "source": "github", "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" } ], "snyk.related.projects": [ - "username/reponame", + "projectname", "someotheruser/someotherreponame", - "projectname" + "username/reponame" ], "snyk.vulnerabilities.credit": [ "Snyk Security Research Team" @@ -86,8 +86,8 @@ ], "snyk.vulnerabilities.version": "0.8.8", "tags": [ - "snyk-vulnerabilities", - "forwarded" + "forwarded", + "snyk-vulnerabilities" ], "vulnerability.category": "Github", "vulnerability.classification": "CVSS", @@ -111,33 +111,33 @@ "snyk.projects": [ { "id": "projectid", - "name": "username/reponame", + "name": "someotheruser/someotherreponame", "packageManager": "npm", "source": "github", - "targetFile": "package.json", + "targetFile": "folder1/package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "someotheruser/someotherreponame", + "name": "projectname", "packageManager": "npm", - "source": "github", - "targetFile": "folder1/package.json", + "source": "cli", + "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "projectname", + "name": "username/reponame", "packageManager": "npm", - "source": "cli", + "source": "github", "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" } ], "snyk.related.projects": [ - "username/reponame", + "projectname", "someotheruser/someotherreponame", - "projectname" + "username/reponame" ], "snyk.vulnerabilities.credit": [ "Snyk Security Research Team" @@ -186,8 +186,8 @@ ], "snyk.vulnerabilities.version": "0.8.8", "tags": [ - "snyk-vulnerabilities", - "forwarded" + "forwarded", + "snyk-vulnerabilities" ], "vulnerability.category": "Github", "vulnerability.classification": "CVSS", @@ -213,33 +213,33 @@ "snyk.projects": [ { "id": "projectid", - "name": "username/reponame", + "name": "someotheruser/someotherreponame", "packageManager": "npm", "source": "github", - "targetFile": "package.json", + "targetFile": "folder1/package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "someotheruser/someotherreponame", + "name": "projectname", "packageManager": "npm", - "source": "github", - "targetFile": "folder1/package.json", + "source": "cli", + "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "projectname", + "name": "username/reponame", "packageManager": "npm", - "source": "cli", + "source": "github", "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" } ], "snyk.related.projects": [ - "username/reponame", + "projectname", "someotheruser/someotherreponame", - "projectname" + "username/reponame" ], "snyk.vulnerabilities.credit": [ "josselin-c" @@ -272,10 +272,10 @@ "=1.2.0" ], "snyk.vulnerabilities.semver.vulnerableHashes": [ - "c596ec57260fd2ad47b2ae6809d6890a2f99c3b2", + "0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c", "36e9d2ebbde5e3f13ab2e25625fd453271d6522e", - "f6920249aa08fc2a2c2e8274ea9648d0bb1e9364", - "0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c" + "c596ec57260fd2ad47b2ae6809d6890a2f99c3b2", + "f6920249aa08fc2a2c2e8274ea9648d0bb1e9364" ], "snyk.vulnerabilities.title": "Insecure Randomness", "snyk.vulnerabilities.type": "vuln", @@ -284,8 +284,8 @@ ], "snyk.vulnerabilities.version": "#000000000000", "tags": [ - "snyk-vulnerabilities", - "forwarded" + "forwarded", + "snyk-vulnerabilities" ], "vulnerability.category": "Github", "vulnerability.classification": "CVSS", @@ -309,33 +309,33 @@ "snyk.projects": [ { "id": "projectid", - "name": "username/reponame", + "name": "someotheruser/someotherreponame", "packageManager": "npm", "source": "github", - "targetFile": "package.json", + "targetFile": "folder1/package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "someotheruser/someotherreponame", + "name": "projectname", "packageManager": "npm", - "source": "github", - "targetFile": "folder1/package.json", + "source": "cli", + "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" }, { "id": "projectid", - "name": "projectname", + "name": "username/reponame", "packageManager": "npm", - "source": "cli", + "source": "github", "targetFile": "package.json", "url": "https://snyk.io/org/orgname/project/projectid" } ], "snyk.related.projects": [ - "username/reponame", + "projectname", "someotheruser/someotherreponame", - "projectname" + "username/reponame" ], "snyk.vulnerabilities.credit": [ "Unknown" @@ -368,284 +368,284 @@ "<2.2.8" ], "snyk.vulnerabilities.semver.vulnerableHashes": [ - "dd8f49ae7840d1fc6810d53ee7b05356da92f81f", - "d4766d1dff71f8a135a57e1fcff946c8c1a140ab", - "2aba0a492be00f1eb4d95483b08930ebe4968b64", - "3b0eedc5a476efc2b2e025eff55b2fd08fa32abd", - "2f2fd02e5a54a7d4f5e5d3494b170b0cb9275c92", - "7ad95dd0798a40da1ccdff6dff35fd177b5edf40", - "f7716cbe52baa25d2e9b0d0da546fcf909fc16b4", - "1ff37a7d30b085dc643dee7adb18759e3511661a", - "eca94c41d994ae2215d455ce578ae6e2dc6ee516", - "b0c168ac0cf9493da1f9bb76c34b26ffef940b4a", - "77373ee937410eceadc4dc64b1100d897ed593d0", + "00efe9c47819ca58089c4bd5d1d8463248e23228", "025607cd2e381e6e08a56ffec46ac79e23ca2d88", - "7d17c9173a3d25ebba15cedb25b5205bdfb1eac8", - "ca3d523f32f3b33fb3265bfeb8e11003a8670e3d", - "85db785e81ed62ffae7a145404fc0f022335378c", - "a72a87d92dad7563e31c2c007e8d67f93d67f221", - "1be3d31502d6eabc0dd7ce5b0daab022e14a5538", - "90376f16b6d74c4e2fff21dd24397bec3dc62dd5", - "bb263360b83253468e534d974aabeddd6c22f887", - "d466437aa4adc35830964cffc5b5f262c63ddcb4", - "d6c23fbaf16f72995b58492627e65801cfb9a8dd", - "e4d366fc3c7938e2958e662b4258c7a89e1f0e3e", - "60a2abf4e00318875a661c29b36df7a68e484bf4", - "f4d271a8a289b41fa88b802c430fefde4e018bba", - "10c59a7d91867c206737dcd482fe68906a1484ca", - "d0b6f3facf302fb1bf969a12bad68ce720b3c025", - "4d6bb54d8acc91e147763cea066cff0b89437e90", - "1244d3ce02e3e1c16820ada0bae506b6c479f106", - "49fdd64ad429d146bacf7106dd73078e889be2e8", - "8e626dec39b5836cef636d885e33479debcf0cb1", - "4914593b9558e85597f08346c798aea8f6fb899f", "031c922227a592b2b562a1833438308381f9a8bf", - "b51f82a2e3cbedab685908bd64d61d0a1b781754", - "c75e52ecee48db6de9aa73d00a360d43abf3e7ac", - "857a0b2759f87f47aaebad6dd319cf4f887eb6dc", - "5887bc194be84805c8283e9d9a66102bf9571fca", - "a528d0ef484d32e416d7b9c4a249d1fa7111be6e", - "5b18502a28c65dfd209ea5aebb405fb6fc07f7e1", - "5d6f7e02b7cdad63b06ab3877915532cd30073b4", - "9c272e25743608d6d3287141522eb4506b2dac45", - "125a562d7bf105e062ed2adfb2d37e6f11c209bd", - "87e4a22b684220ccca96de3f2e651b2380a55f9e", - "d56ec34a3ded0bb58c82198664664ccb81eec91b", - "b754a4fe6ad8db932e083a2d85ae2199b3516bef", "04092268b2c5e87e6373229049c827b833af4edb", - "f59f5e67022f3c186e20af01b1993b86ac74f0dc", - "52d5976e4791cf8c96a9de7569098e3752677412", - "770b8dae4cf00919e5eafffbd8d58186294b61b5", - "71e7ede9d48a2e096f6d5d0516c763513a471bd1", - "b01920c75e30179201b01633db246038b0226ce9", - "ef0aede23c8c624e127a9a59183ee8915e48a3c9", - "1632dd8118ce1efece66b7f53bb167956d5d8b4e", + "0516c53462e633a479f3826e1d3557033413eeb8", "05299e459464264cd87a230b62d1aca93725c51b", - "d00346f943c9d2c43424c8a3840f5ca58817750d", - "49c95bdc21843256fb6c4e0d370a05f24a0bf213", - "088598405c86d37e951287d094d691e221654a00", - "c11897f0ba79d8a35d8a124ff0d76e13d9dccb9b", - "711419034010345c604724ef87ec3db91ffe0936", - "3e6d767784b037b90a14701b6c9f0643f05db963", - "a83829b6f1293c91addabc89d0571c246397bbf4", - "ee2f4956ea46791a74a31142105f03c0d5f9492b", - "7b079234548be56f14c6e342d4660aa8d54865b7", - "b7fbda9990042cd5456fdf187480c25fdd776f92", - "a6dc653f939ab0e6a554873806c41add1140d90c", - "687eda924018599a7c4518013c369f0bfb7eb0e1", - "fa9662d290d59b79f2ef7e1f72c885560efe512d", - "e47eca576e8f3a433de0ba77f1923e7c7f959667", - "e90bcf783f7abddaa0ee0994a09e536498744e49", - "fdc1ab46101a842d9e914408bd481f6647d5f9c1", - "f0766b44ca7999dc9af38a050ddf6db79d05bf3b", - "cdd36ee8d333aa740c1c0bceae0da74969b2c60b", - "7701d177ce02b7bd38c4ebd2ba4a7783080505ae", - "2c1be0d7f7ff8305cf666e89152e9753c8b39004", - "97203c6e4fc7347bfef3bd6d4913e90bd46c7ecb", - "7c97801ccf41d5273de9e22c8b2af6860c7703a2", - "7002636de42c9ef59a2921bb4f78744cabe8bfe3", + "059398de19c863a04c55315526d6c226de540aa1", + "05d405925260878bd750ea7d96c746c2d726b349", "0725b7707fdeeb6894c403d0f5a2a20e1dc7454d", - "1dd72ac3928693b9db2533639dfc2a5f831697eb", - "73a1567027eea2fab2b057a193036f844736f7da", - "7539b1dee2c790ab2d1aa5e254ef877f5552ff97", - "920b7d819b42f26f4796e4a43f518090a7a6331f", - "1f64d6156d11335c3f22d9330b0ad14fc1e789ce", - "1b9791953ba4027efaeb728c7355e542a203be5e", - "1ed59511881fdb008c1e618e9f219ce0704e658e", - "c325d146e464fb9567e780ddfa2dad3a99323075", + "08434a82b8376f585898a97654ce18065d14cb97", + "0846a25da24891a7b3c725bc190493b5f7525db8", + "088598405c86d37e951287d094d691e221654a00", + "0a6d1b02c16e372ceea8f17f3b1833b918954bf1", + "0cb32393ebcfc65467398e5daadfb63b2184caea", + "0e4404da71227dcc02fb1deee803d93e86d08f72", "0ee36981cbf495d5eb6aeb540a3afc25c61d1a96", - "c4a9fb418357aceb801272d73efd518f183700fa", - "a347d2466e459933f4fb25f8026d995977436ccf", - "f221b8435cfb71e54062f6c6e99e9ade30b124d5", - "5206f6dd03423b3a5462a2a4286a4efae8abe347", - "a1c4bcb6c278a41992e2f4f0f29a44b4146daa5c", - "4ca689e686c2caf4dda3a62936c097d6dfb56877", + "0f9a5c380d77a8b2888a78c3d3a14db15949b1fa", + "1092c5d94f266e0f94e485a24f7010da877eeba0", + "10c59a7d91867c206737dcd482fe68906a1484ca", "119a11e4378a0410c69c42d82f51331a6da7a97c", - "c7da9dcff86f24fcfdc15e1f9fa39dfc19784616", - "f29dde21846f6357ee4421013b59eefd65c069b0", - "5515099aacaeb9ff3ab7492f0803327bb19fc512", + "1244d3ce02e3e1c16820ada0bae506b6c479f106", + "125a562d7bf105e062ed2adfb2d37e6f11c209bd", + "1418a9bc452f9cf4efa70307cafcb10743e64a56", + "14227de293ca979cf205cd88769fe71ed96a97e2", + "14d1c4659ec7b9ee26f5d705f3c2bb56cb6cbee4", + "1632dd8118ce1efece66b7f53bb167956d5d8b4e", + "18e5f12b39cb93b31a249fb7115b9bbf6162aeeb", + "1ade51a028efa6990b524e0b01237dbd9123957d", + "1b2e8c1531abbfe7dcd3de8ff4483326af275bc8", + "1b9791953ba4027efaeb728c7355e542a203be5e", + "1be3d31502d6eabc0dd7ce5b0daab022e14a5538", + "1bf6a7ce154075e61134f8a68dd50902c3027a10", "1c9241b56a03383c77e1c33d86ea6ca4a927153e", - "86f5ed62f8a0ee96bd888d2efdfd6d4fb100a4eb", + "1d653a737648051ca638423377052c2f5c10c050", + "1dd72ac3928693b9db2533639dfc2a5f831697eb", + "1ed59511881fdb008c1e618e9f219ce0704e658e", + "1f1f61830e4c9f1eff03047c9d1d11e576853bc4", "1f2a25ba9402c70a7806e84531ef763943739072", - "1418a9bc452f9cf4efa70307cafcb10743e64a56", - "65b1927d8262617ca3d25f296fdde1e8c48f813d", + "1f64d6156d11335c3f22d9330b0ad14fc1e789ce", + "1ff37a7d30b085dc643dee7adb18759e3511661a", + "200c098a06472243b50aeda4510220a90c4e7dbe", + "205b70273c7999d96b32db43ab54337690817184", + "25c4ec802a7d637f88d584ab26798e94ad14c13b", + "2628b30e544c309ac3d0c8cd7e78a785400cd41f", + "26b882523374125854702734c30b0ce6a1a18d7b", + "283fbcdd1e64975730a38609f8802ef983a43cb9", + "284796d39ddb313ec0ae04898de280d41fe32479", + "287cf08546ab5e7e37d55a84f7ed3fd1db036de5", + "2aba0a492be00f1eb4d95483b08930ebe4968b64", + "2afc2e57e051513a3f5f67e74857696a8558d67b", "2bf60357b89cbc6044dde700cf63bab94a615bf7", - "c6314f5b627e2a1c1846d89cd775de6b2808d37e", - "50e1b1b1332ea40fff2a9b13bfbccbbecd526f00", - "50f7813e6b19e58334360ab011dfbaece5b1501f", - "a311394a2a9276454d3f92d26838c3ae3d99cdf3", - "79f5ef7c40ae7a4ee6bcd26d324bf50491b431e5", - "731788bc8b082f8c81c63ca0abd5950c7a68a2f1", - "6491ec31f7b0d27492e3046c86de94838dcb523c", + "2c1be0d7f7ff8305cf666e89152e9753c8b39004", + "2c8612dfee1362e7e482c66c5feb892a94d53255", + "2c9db3558be789ef3896b03ed3f354b822c304b9", + "2f2fd02e5a54a7d4f5e5d3494b170b0cb9275c92", + "31c299268d302dd0aa9a0dcf765a3d58971ac83f", + "3323b7713e656f16fbd0eec27c60370b6237f4e3", + "36babc3691687601732d9e2571b698be4116469a", + "399c3345e0f76f583d830cd7da27518bbb00c91a", + "39e59aa7e15898a87148f0f4891a085c83b9b0fc", + "3b0eedc5a476efc2b2e025eff55b2fd08fa32abd", + "3b4ad1db5b2a649883ff3782f5f9f6fb52be71af", + "3ba0e99ffa727bd7eb782b7a5d1aafcb989b0899", + "3c0d4d4f56c36fcfd2da00ff26c40046512b4208", + "3c68098bffba683534584be69216dac3a2b2305a", + "3d8cfc3754fba03b8f1a0d44ea4e6e870cf86c57", + "3e542fbf7c84c0bf22f51ad07899cf80f8658caa", + "3e69410288aeb97d31353af8e063b798d40feb3f", + "3e6d767784b037b90a14701b6c9f0643f05db963", + "3e92d6a11b92fa4612d66712704844bdc0c48aed", + "3eb2270747cdd89e3f095cb24e8dd4ccf2a098f6", + "406cad6bb47dd7d9a123d005fb8ff766f6463051", "41168bb7ed2fc849bc36727a2b902bd8f447bfc2", - "bc27649cd5454055cf20fdb9ef556c214d3f9aa0", - "d6b53382672776035ad8ef0404681f8a4a16bb95", - "8eba062837dc10754db7cbafcbedbfbc985ca172", - "837b0877fcd6b2c8ba83d126917267695ff16ad8", - "72c33f6840f49f9ed7d1faef7562b3266640fdf4", - "26b882523374125854702734c30b0ce6a1a18d7b", - "e90048704a8adb0b81b2e15ebafd1a35fa110903", - "4fc5987536ef307a24ca299aee7ae301cde3d221", + "41c132e8ac051886e4eb06e7c3d58ced63d58057", + "422f540d2e1f1b41b6184903cd1eb69c777df1bb", "4341420a144323d3f148ece677a20da6e077cfd2", - "5c8bfe59213b6e9a5eb50debebc396e99a9fa174", - "200c098a06472243b50aeda4510220a90c4e7dbe", - "de3643d77b438c6f0f69f350c437639a300b5e73", - "9a4310b1caff4cca3780580195a916ca060d08f7", - "91eb945ac02153399ac9f69e34751f1a176254c3", + "43607cc2a1772b23faf366c24b8e33541187b64d", + "43a0256bb22b0c2e1803ac6e28f55e5989a60523", + "4914593b9558e85597f08346c798aea8f6fb899f", + "49c95bdc21843256fb6c4e0d370a05f24a0bf213", + "49fdd64ad429d146bacf7106dd73078e889be2e8", + "4c78c975fe7c825c6d1466c42be594d1d6f3aba6", + "4ca689e686c2caf4dda3a62936c097d6dfb56877", + "4cadac2bc790baeffa0a7fa19689223966a64c24", "4cdd993908b57c3b87bef0695e5ca989151ad55f", - "7ddc4634ce2d8ca5c03846918ae1df6aa40ee464", - "ec232d2920a84930b077414b60b5985e076ae228", - "2c8612dfee1362e7e482c66c5feb892a94d53255", - "d670f9405373e636a5a2765eea47fac0c9bc91a4", - "e9bfed595636e952566e5cb857c22b918f2530a2", - "c1cd2254a6dd314c9d73c338c12688c9325d85c6", - "df747160af0ebfcc572951e4168d4b1bc91a47f5", - "a65e08b08285cef29253c50ffd92469bf6e26a29", - "e6da37e746419537560c1e95e429f42b33f6d0e3", - "eea198a9c5cc6e02bfcd130a932051088a9f0950", - "6675ed2a9028caf87bb5915503c08a595e57b77d", - "562080bfe963d41a6870a4c500918f6361a0b61f", - "8171f560dedcb162dd3d2c925015679e84bac269", - "c78cd3ebd83777ac093137fbb55c33a9d3f65819", - "e4ac4c457c23b390e7fd75ddf746c5a69aa8cfd5", - "93d787c44dc828e1c67fa275cb66eb86bb2929f8", - "7cdd87a79f79db641dae55776224443026d28928", - "406cad6bb47dd7d9a123d005fb8ff766f6463051", + "4d6bb54d8acc91e147763cea066cff0b89437e90", + "4f03e946c120a8f146f43bee6f392f9bb5d0a677", + "4f3d34e492b8930c50204a216d960e7da0dc5f63", + "4fc5987536ef307a24ca299aee7ae301cde3d221", + "50e1b1b1332ea40fff2a9b13bfbccbbecd526f00", + "50f7813e6b19e58334360ab011dfbaece5b1501f", + "51d6538a90f86fe93ac480b35f37b2be17fef232", + "5206f6dd03423b3a5462a2a4286a4efae8abe347", "523c7d9470684b02d902e8d986cd9eea66884755", - "9ca8abd6882a6e741166e6ec946a73f3a64df65a", - "885e19c0dda1f4e4e22837474879f8f3d36fb449", - "e8976af76e3d35c48f8b2c9540cca3e92995fbc6", - "addb3a024ff5763c8facbe4767fe530d602cfedc", - "c7f6f9c6e6c14027a46eb91241427dba67604f39", - "0a6d1b02c16e372ceea8f17f3b1833b918954bf1", - "835086a6b6aa65939515e30b5d6c2eba43d7c075", - "7b8fd2dbef04521fdd8d670ef4c77be691845aa2", - "3eb2270747cdd89e3f095cb24e8dd4ccf2a098f6", - "1d653a737648051ca638423377052c2f5c10c050", - "14d1c4659ec7b9ee26f5d705f3c2bb56cb6cbee4", - "c544d0342172409bd9c8f7c45d9fb21971c8aee9", - "6941443daa441371720e9ef8f3554c3958cfb071", - "f8db564a0a4a5f6d04f66522493597f18e5ab4ae", - "7c634f6a68c1076d3cfdc56930db26e86f7876d7", - "f7e23311052d3dda728ce15788fb3727898afa17", - "8691640bc70f3d96128a809341d850b550a3abb9", - "b9b22c434500d7639936fbed673fc0ef23ce88f6", - "d6385b38675d8d03521c9290f4f3d7bff08664c0", - "4c78c975fe7c825c6d1466c42be594d1d6f3aba6", + "52d5976e4791cf8c96a9de7569098e3752677412", + "53087c11c10b453af4f2eb47471434eae75526f9", + "53feefa2559fb8dfa8d81baad31be332c97d6c77", + "5420a8b6744d3b0345ab293f6fcba19c978f1183", "54c736c86c9bcc793fb4bd6f203604cd738dc0e9", + "5515099aacaeb9ff3ab7492f0803327bb19fc512", + "562080bfe963d41a6870a4c500918f6361a0b61f", + "5887bc194be84805c8283e9d9a66102bf9571fca", + "5b18502a28c65dfd209ea5aebb405fb6fc07f7e1", + "5c8bfe59213b6e9a5eb50debebc396e99a9fa174", + "5d6f7e02b7cdad63b06ab3877915532cd30073b4", + "5e76f7cf8cb1fc353b84b96c72a36c4984cbd005", + "5edc3ded41385ca1b9a80339d2a070e4d0a17cb6", + "60a2abf4e00318875a661c29b36df7a68e484bf4", + "62e345dcf33dd13810ceba10407c30a7db6a0958", + "6491ec31f7b0d27492e3046c86de94838dcb523c", + "65622dcbf4c25328cd440d1b322c6530abe83337", + "65b1927d8262617ca3d25f296fdde1e8c48f813d", + "6675ed2a9028caf87bb5915503c08a595e57b77d", + "670d4cfef0544295bc27a114dbac37980d83185a", + "687eda924018599a7c4518013c369f0bfb7eb0e1", + "6941443daa441371720e9ef8f3554c3958cfb071", + "7002636de42c9ef59a2921bb4f78744cabe8bfe3", + "711419034010345c604724ef87ec3db91ffe0936", + "71e7ede9d48a2e096f6d5d0516c763513a471bd1", "722ff6b958a31d4ca3405db35a72648a6077a6bb", - "2afc2e57e051513a3f5f67e74857696a8558d67b", - "283fbcdd1e64975730a38609f8802ef983a43cb9", - "ab5d55c35f3919fe06e9daedce5a32f4aab23777", - "e2fbf5b72a6a12abd15be9b37656a0a136fc32f8", - "399c3345e0f76f583d830cd7da27518bbb00c91a", - "b6679148d27038e59d7818facc4d100e677a64ae", - "43a0256bb22b0c2e1803ac6e28f55e5989a60523", - "f5f5cc19d1f681884684426c96adadef47a3b55c", + "72c33f6840f49f9ed7d1faef7562b3266640fdf4", + "731788bc8b082f8c81c63ca0abd5950c7a68a2f1", + "73a1567027eea2fab2b057a193036f844736f7da", + "7539b1dee2c790ab2d1aa5e254ef877f5552ff97", + "7701d177ce02b7bd38c4ebd2ba4a7783080505ae", + "770b8dae4cf00919e5eafffbd8d58186294b61b5", + "77373ee937410eceadc4dc64b1100d897ed593d0", + "77b384eced7745af978888311ea3c67e57c7ed96", + "77b516425597da3c093a666c11608112e91604de", "787afde64d7b36591050440c4a14c2288b373de6", + "79f5ef7c40ae7a4ee6bcd26d324bf50491b431e5", + "7ad95dd0798a40da1ccdff6dff35fd177b5edf40", + "7b079234548be56f14c6e342d4660aa8d54865b7", "7b8349ac747c6a24702b762d2c4fd9266cf4f1d6", - "0e4404da71227dcc02fb1deee803d93e86d08f72", - "a95acef3719e5e9f7614cc90a119dee4699291eb", - "3ba0e99ffa727bd7eb782b7a5d1aafcb989b0899", - "5edc3ded41385ca1b9a80339d2a070e4d0a17cb6", - "2c9db3558be789ef3896b03ed3f354b822c304b9", - "a833012353d046b1f12c82db87d01c86570b24d7", - "77b516425597da3c093a666c11608112e91604de", - "1ade51a028efa6990b524e0b01237dbd9123957d", - "9e27074feeaed4b0ae4e5e71187eff80c0f0bf35", - "cd515839285fe1a31b92193360172d59f818c9b8", - "9f33a69b86c3c76c52e41d12d83e233065bfcca9", - "36babc3691687601732d9e2571b698be4116469a", - "51d6538a90f86fe93ac480b35f37b2be17fef232", - "31c299268d302dd0aa9a0dcf765a3d58971ac83f", - "3e92d6a11b92fa4612d66712704844bdc0c48aed", - "9211cbc02789a32acf5e90c23a42f040ac3ec3f8", - "0cb32393ebcfc65467398e5daadfb63b2184caea", - "0f9a5c380d77a8b2888a78c3d3a14db15949b1fa", + "7b8fd2dbef04521fdd8d670ef4c77be691845aa2", + "7c634f6a68c1076d3cfdc56930db26e86f7876d7", + "7c97801ccf41d5273de9e22c8b2af6860c7703a2", + "7cdd87a79f79db641dae55776224443026d28928", + "7d17c9173a3d25ebba15cedb25b5205bdfb1eac8", + "7ddc4634ce2d8ca5c03846918ae1df6aa40ee464", + "7f97868eec74b32b0982dd158a51a446d1da7eb5", + "81205292aba40f8868069e2f18d90043d3e724a6", + "8171f560dedcb162dd3d2c925015679e84bac269", + "8173ecbc8953a159ae0fa2fad94adf3553b0bf8e", "82377a97b299347cd15cc1be13e1c8d04e33efbb", - "fe9486c37432968838e1798b2317dc1aa10b586b", - "77b384eced7745af978888311ea3c67e57c7ed96", - "fc7f19eff1782a0beae3065097c776183e7d01d0", - "dbd6d0229d1f1e1c3055cd82efb81f60a27d1103", - "25c4ec802a7d637f88d584ab26798e94ad14c13b", - "5e76f7cf8cb1fc353b84b96c72a36c4984cbd005", - "a5844a8f8f489bad96ab6da62cfa21ee1f5d9e6b", - "41c132e8ac051886e4eb06e7c3d58ced63d58057", - "4f03e946c120a8f146f43bee6f392f9bb5d0a677", - "287cf08546ab5e7e37d55a84f7ed3fd1db036de5", - "1092c5d94f266e0f94e485a24f7010da877eeba0", - "910de082618d0d8ccac6443a6e7a72cc8bcd5227", - "feb4ca79644e8e7e39c06095246ee54b1282c118", - "3c68098bffba683534584be69216dac3a2b2305a", - "3323b7713e656f16fbd0eec27c60370b6237f4e3", - "f3293401ceedf2a32a1c22cb062b274dba6be798", - "43607cc2a1772b23faf366c24b8e33541187b64d", - "add015b1c64e144664b73d5eacfeb6aeace2e45c", - "3e69410288aeb97d31353af8e063b798d40feb3f", - "39e59aa7e15898a87148f0f4891a085c83b9b0fc", - "a3f3340b5840cee44f372bddb5880fcbc419b46a", - "05d405925260878bd750ea7d96c746c2d726b349", - "65622dcbf4c25328cd440d1b322c6530abe83337", + "835086a6b6aa65939515e30b5d6c2eba43d7c075", + "837b0877fcd6b2c8ba83d126917267695ff16ad8", + "838f4ea96166350b9185bf3d2cbf786d34127ca2", + "857a0b2759f87f47aaebad6dd319cf4f887eb6dc", + "85db785e81ed62ffae7a145404fc0f022335378c", + "8691640bc70f3d96128a809341d850b550a3abb9", + "86f5ed62f8a0ee96bd888d2efdfd6d4fb100a4eb", + "87e4a22b684220ccca96de3f2e651b2380a55f9e", + "885e19c0dda1f4e4e22837474879f8f3d36fb449", "8ca81d591dc2242f9c4b7a907533f0b7f93802b5", - "3d8cfc3754fba03b8f1a0d44ea4e6e870cf86c57", - "eb3733d160e74a9c7e442f435eb3bea458e1d19f", - "d0fefed9b627fbe0c1597ac29ed5f48ff2eb9064", - "dcd83b31fd165d8cc8677fce58f889dca3e06f35", - "7f97868eec74b32b0982dd158a51a446d1da7eb5", + "8e626dec39b5836cef636d885e33479debcf0cb1", + "8eba062837dc10754db7cbafcbedbfbc985ca172", + "8ed39f36d6f36299d2ce5f9b35a05d048500f777", + "90376f16b6d74c4e2fff21dd24397bec3dc62dd5", + "910de082618d0d8ccac6443a6e7a72cc8bcd5227", + "914e67f109a574665d15c0d179cdc796abefb176", + "91eb945ac02153399ac9f69e34751f1a176254c3", + "920b7d819b42f26f4796e4a43f518090a7a6331f", + "9211cbc02789a32acf5e90c23a42f040ac3ec3f8", "925f818e2c358746b3a14bf3e5614db14208037f", - "c95af922eae69f190717a0b7148960af8c55a072", - "0516c53462e633a479f3826e1d3557033413eeb8", - "53087c11c10b453af4f2eb47471434eae75526f9", - "5420a8b6744d3b0345ab293f6fcba19c978f1183", - "fb03f24d58ac0c7a3d85edc1b91dfcfea4329883", - "08434a82b8376f585898a97654ce18065d14cb97", - "a5b47d31c556af34a302ce5d659e6fea44d90de0", - "838f4ea96166350b9185bf3d2cbf786d34127ca2", - "f2d2788ce5b1741745c0d1a853e856b5b77376b2", - "284796d39ddb313ec0ae04898de280d41fe32479", + "93d787c44dc828e1c67fa275cb66eb86bb2929f8", "970885f01c8bc1fecb7ab1c8ce8e7609bda45530", - "4f3d34e492b8930c50204a216d960e7da0dc5f63", + "97203c6e4fc7347bfef3bd6d4913e90bd46c7ecb", + "9a4310b1caff4cca3780580195a916ca060d08f7", + "9c272e25743608d6d3287141522eb4506b2dac45", + "9ca8abd6882a6e741166e6ec946a73f3a64df65a", + "9e27074feeaed4b0ae4e5e71187eff80c0f0bf35", + "9eade332f0ceebc6b7c9e24893574cad4c51722b", + "9f33a69b86c3c76c52e41d12d83e233065bfcca9", "9f389a1f0b1d442eba00213e7aa09ccd878d18b0", - "1b2e8c1531abbfe7dcd3de8ff4483326af275bc8", - "14227de293ca979cf205cd88769fe71ed96a97e2", - "e72f93569ef83aca933836c2fb9185faeeced236", - "3b4ad1db5b2a649883ff3782f5f9f6fb52be71af", "a0ae8d516398f3724bb3db614ab47f0e4f643f2e", - "f7a330473f18ddc052fce1f71a2b2d1231860f71", - "81205292aba40f8868069e2f18d90043d3e724a6", - "059398de19c863a04c55315526d6c226de540aa1", - "e6ec13e5a80029d7ebcbc2c90d16ce5ff1fa6c84", - "8173ecbc8953a159ae0fa2fad94adf3553b0bf8e", - "b7dfe2d918fda477aa5b42519294b5ada3c991fa", + "a1c4bcb6c278a41992e2f4f0f29a44b4146daa5c", + "a311394a2a9276454d3f92d26838c3ae3d99cdf3", + "a347d2466e459933f4fb25f8026d995977436ccf", + "a3f3340b5840cee44f372bddb5880fcbc419b46a", + "a528d0ef484d32e416d7b9c4a249d1fa7111be6e", + "a5844a8f8f489bad96ab6da62cfa21ee1f5d9e6b", + "a5b47d31c556af34a302ce5d659e6fea44d90de0", + "a65e08b08285cef29253c50ffd92469bf6e26a29", + "a6dc653f939ab0e6a554873806c41add1140d90c", + "a72a87d92dad7563e31c2c007e8d67f93d67f221", + "a833012353d046b1f12c82db87d01c86570b24d7", + "a83829b6f1293c91addabc89d0571c246397bbf4", + "a95acef3719e5e9f7614cc90a119dee4699291eb", + "ab5d55c35f3919fe06e9daedce5a32f4aab23777", + "add015b1c64e144664b73d5eacfeb6aeace2e45c", + "addb3a024ff5763c8facbe4767fe530d602cfedc", + "b01920c75e30179201b01633db246038b0226ce9", + "b0c168ac0cf9493da1f9bb76c34b26ffef940b4a", + "b3031338ac8e006cbd668f67c36c24d2c5e64b6d", + "b3472531944cd769419f297322dc285a0fc0d6cc", + "b51f82a2e3cbedab685908bd64d61d0a1b781754", + "b6679148d27038e59d7818facc4d100e677a64ae", "b6b591a3c0ec0452719f4d4555a3e084fd9f12fb", + "b754a4fe6ad8db932e083a2d85ae2199b3516bef", + "b7dfe2d918fda477aa5b42519294b5ada3c991fa", + "b7fbda9990042cd5456fdf187480c25fdd776f92", + "b9b22c434500d7639936fbed673fc0ef23ce88f6", "ba29208cca8f239f2cea685183f79df8e4defc29", - "422f540d2e1f1b41b6184903cd1eb69c777df1bb", - "914e67f109a574665d15c0d179cdc796abefb176", - "1bf6a7ce154075e61134f8a68dd50902c3027a10", - "2628b30e544c309ac3d0c8cd7e78a785400cd41f", - "0846a25da24891a7b3c725bc190493b5f7525db8", - "4cadac2bc790baeffa0a7fa19689223966a64c24", - "b3031338ac8e006cbd668f67c36c24d2c5e64b6d", + "bb263360b83253468e534d974aabeddd6c22f887", + "bb4e33bf68bf89cad44d386192cbed201f35b241", + "bc27649cd5454055cf20fdb9ef556c214d3f9aa0", + "bd61a856f807e525beaee41959452c88c83d46cf", + "bef53efd0c76e49e6de55ead051f886bea7e9420", + "c11897f0ba79d8a35d8a124ff0d76e13d9dccb9b", + "c1cd2254a6dd314c9d73c338c12688c9325d85c6", + "c325d146e464fb9567e780ddfa2dad3a99323075", + "c4a9fb418357aceb801272d73efd518f183700fa", + "c544d0342172409bd9c8f7c45d9fb21971c8aee9", + "c6314f5b627e2a1c1846d89cd775de6b2808d37e", + "c75e52ecee48db6de9aa73d00a360d43abf3e7ac", + "c78cd3ebd83777ac093137fbb55c33a9d3f65819", + "c7da9dcff86f24fcfdc15e1f9fa39dfc19784616", + "c7f6f9c6e6c14027a46eb91241427dba67604f39", + "c95af922eae69f190717a0b7148960af8c55a072", + "ca3d523f32f3b33fb3265bfeb8e11003a8670e3d", + "cd515839285fe1a31b92193360172d59f818c9b8", "cd8b52f8269e0feb286dfeef29f8fe4d5b397e0b", - "205b70273c7999d96b32db43ab54337690817184", - "62e345dcf33dd13810ceba10407c30a7db6a0958", - "53feefa2559fb8dfa8d81baad31be332c97d6c77", + "cdd36ee8d333aa740c1c0bceae0da74969b2c60b", + "d00346f943c9d2c43424c8a3840f5ca58817750d", + "d0b6f3facf302fb1bf969a12bad68ce720b3c025", + "d0fefed9b627fbe0c1597ac29ed5f48ff2eb9064", + "d466437aa4adc35830964cffc5b5f262c63ddcb4", + "d4766d1dff71f8a135a57e1fcff946c8c1a140ab", + "d56ec34a3ded0bb58c82198664664ccb81eec91b", + "d6385b38675d8d03521c9290f4f3d7bff08664c0", + "d670f9405373e636a5a2765eea47fac0c9bc91a4", + "d6b53382672776035ad8ef0404681f8a4a16bb95", + "d6c23fbaf16f72995b58492627e65801cfb9a8dd", + "dbd6d0229d1f1e1c3055cd82efb81f60a27d1103", + "dcd83b31fd165d8cc8677fce58f889dca3e06f35", + "dd8f49ae7840d1fc6810d53ee7b05356da92f81f", + "de3643d77b438c6f0f69f350c437639a300b5e73", + "df747160af0ebfcc572951e4168d4b1bc91a47f5", + "e2fbf5b72a6a12abd15be9b37656a0a136fc32f8", + "e334f8522ac9fe2b381c329b3159a328eeb14f76", + "e47eca576e8f3a433de0ba77f1923e7c7f959667", + "e4ac4c457c23b390e7fd75ddf746c5a69aa8cfd5", + "e4d366fc3c7938e2958e662b4258c7a89e1f0e3e", + "e6da37e746419537560c1e95e429f42b33f6d0e3", + "e6ec13e5a80029d7ebcbc2c90d16ce5ff1fa6c84", "e720624475f3807e3dc6477e7af6feb09da0b848", - "bd61a856f807e525beaee41959452c88c83d46cf", + "e72f93569ef83aca933836c2fb9185faeeced236", + "e8976af76e3d35c48f8b2c9540cca3e92995fbc6", + "e90048704a8adb0b81b2e15ebafd1a35fa110903", + "e90bcf783f7abddaa0ee0994a09e536498744e49", + "e9bfed595636e952566e5cb857c22b918f2530a2", + "eb3733d160e74a9c7e442f435eb3bea458e1d19f", + "ec232d2920a84930b077414b60b5985e076ae228", + "eca94c41d994ae2215d455ce578ae6e2dc6ee516", + "ee2f4956ea46791a74a31142105f03c0d5f9492b", + "eea198a9c5cc6e02bfcd130a932051088a9f0950", + "ef0aede23c8c624e127a9a59183ee8915e48a3c9", + "f0766b44ca7999dc9af38a050ddf6db79d05bf3b", + "f221b8435cfb71e54062f6c6e99e9ade30b124d5", + "f29dde21846f6357ee4421013b59eefd65c069b0", + "f2d2788ce5b1741745c0d1a853e856b5b77376b2", + "f3293401ceedf2a32a1c22cb062b274dba6be798", + "f4d271a8a289b41fa88b802c430fefde4e018bba", + "f59f5e67022f3c186e20af01b1993b86ac74f0dc", + "f5f5cc19d1f681884684426c96adadef47a3b55c", + "f7716cbe52baa25d2e9b0d0da546fcf909fc16b4", + "f7a330473f18ddc052fce1f71a2b2d1231860f71", + "f7e23311052d3dda728ce15788fb3727898afa17", + "f8db564a0a4a5f6d04f66522493597f18e5ab4ae", "f90ceb4f409096b60e2e9076b38b304b8246e5fa", - "3c0d4d4f56c36fcfd2da00ff26c40046512b4208", - "1f1f61830e4c9f1eff03047c9d1d11e576853bc4", "f96735bc0fa70a12e9f41277b2d909e0c477ee30", - "e334f8522ac9fe2b381c329b3159a328eeb14f76", - "18e5f12b39cb93b31a249fb7115b9bbf6162aeeb", - "b3472531944cd769419f297322dc285a0fc0d6cc", - "3e542fbf7c84c0bf22f51ad07899cf80f8658caa", - "00efe9c47819ca58089c4bd5d1d8463248e23228", - "670d4cfef0544295bc27a114dbac37980d83185a", - "8ed39f36d6f36299d2ce5f9b35a05d048500f777", - "bb4e33bf68bf89cad44d386192cbed201f35b241", - "bef53efd0c76e49e6de55ead051f886bea7e9420", - "9eade332f0ceebc6b7c9e24893574cad4c51722b" + "fa9662d290d59b79f2ef7e1f72c885560efe512d", + "fb03f24d58ac0c7a3d85edc1b91dfcfea4329883", + "fc7f19eff1782a0beae3065097c776183e7d01d0", + "fdc1ab46101a842d9e914408bd481f6647d5f9c1", + "fe9486c37432968838e1798b2317dc1aa10b586b", + "feb4ca79644e8e7e39c06095246ee54b1282c118" ], "snyk.vulnerabilities.title": "Denial of Service (DoS)", "snyk.vulnerabilities.type": "vuln", @@ -654,8 +654,8 @@ ], "snyk.vulnerabilities.version": "2.1.0", "tags": [ - "snyk-vulnerabilities", - "forwarded" + "forwarded", + "snyk-vulnerabilities" ], "vulnerability.category": "Github", "vulnerability.classification": "CVSS", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index dc2a22faf28..5f03c23e5da 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -34,8 +34,8 @@ ], "source.port": 36701, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -61,8 +61,8 @@ "rsa.time.event_time": "2007-01-03T16:48:07.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -100,8 +100,8 @@ ], "source.port": 36702, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -128,8 +128,8 @@ "rsa.time.event_time": "2007-01-03T16:48:07.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -156,8 +156,8 @@ "rsa.time.event_time": "2007-01-03T16:48:08.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -184,8 +184,8 @@ "rsa.time.event_time": "2007-01-03T16:48:10.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -212,8 +212,8 @@ "rsa.time.event_time": "2007-01-03T16:48:10.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -251,8 +251,8 @@ ], "source.port": 36703, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -278,8 +278,8 @@ "rsa.time.event_time": "2007-01-03T16:48:10.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -317,8 +317,8 @@ ], "source.port": 36704, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -355,8 +355,8 @@ ], "source.port": 1026, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -383,8 +383,8 @@ "rsa.time.event_time": "2007-01-03T16:48:14.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -405,8 +405,8 @@ "rsa.time.event_time": "2007-01-03T16:48:15.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -444,8 +444,8 @@ ], "source.port": 500, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -464,8 +464,8 @@ "rsa.time.event_time": "2007-01-03T16:48:15.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -496,8 +496,8 @@ ], "source.port": 11549, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -528,8 +528,8 @@ ], "source.port": 3182, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -556,8 +556,8 @@ "rsa.time.event_time": "2007-01-03T16:48:18.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -584,8 +584,8 @@ "rsa.time.event_time": "2007-01-03T16:48:20.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -616,8 +616,8 @@ ], "source.port": 524, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -648,8 +648,8 @@ ], "source.port": 28503, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 627bee6d954..5edd96a02d0 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -36,8 +36,8 @@ ], "source.port": 1001, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -77,8 +77,8 @@ "source.nat.ip": "10.92.136.230", "source.nat.port": 6437, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -98,8 +98,8 @@ "rsa.time.event_time": "2016-02-26T22:15:08.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -127,8 +127,13 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.149.203.46", +<<<<<<< HEAD "10.227.15.1", "10.150.156.22" +======= + "10.150.156.22", + "10.227.15.1" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -150,8 +155,8 @@ "source.mac": "01:00:5e:84:66:6c", "source.port": 6378, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -170,8 +175,8 @@ "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -191,8 +196,8 @@ "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -212,8 +217,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.95.245.65", - "10.13.70.213" + "10.13.70.213", + "10.95.245.65" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -224,8 +229,8 @@ "10.95.245.65" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -244,8 +249,8 @@ "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -264,8 +269,8 @@ "rsa.time.event_time": "2016-05-22T16:30:33.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -285,8 +290,8 @@ "rsa.time.event_time": "2016-06-05T23:33:08.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -322,8 +327,8 @@ ], "source.port": 3788, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -342,8 +347,8 @@ "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -363,8 +368,8 @@ "rsa.time.event_time": "2016-07-18T20:40:50.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -384,8 +389,8 @@ "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -410,8 +415,8 @@ "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -431,8 +436,8 @@ "rsa.time.event_time": "2016-08-30T17:48:33.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -455,8 +460,8 @@ "rsa.time.event_time": "2016-09-14T00:51:07.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -476,8 +481,8 @@ "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -512,8 +517,8 @@ "source.address": "fugi4637.www.lan", "source.nat.ip": "10.241.178.107", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -533,8 +538,8 @@ "rsa.time.event_time": "2016-10-26T21:58:50.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -565,8 +570,8 @@ "source.nat.ip": "10.157.161.103", "source.nat.port": 383, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -599,8 +604,8 @@ "10.153.136.222" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -620,8 +625,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.239.201.234", - "10.204.11.20" + "10.204.11.20", + "10.239.201.234" ], "rsa.internal.messageid": "87", "rsa.internal.msg": "Loremip", @@ -632,8 +637,8 @@ "10.204.11.20" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -660,8 +665,12 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.219.116.137", "10.245.200.97", +<<<<<<< HEAD "10.219.116.137", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "10.34.161.166" ], "rsa.internal.event_desc": "rehend", @@ -684,8 +693,8 @@ "source.mac": "01:00:5e:1a:ec:91", "source.port": 3768, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -718,8 +727,8 @@ "10.118.80.140" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -739,8 +748,8 @@ "rsa.time.event_time": "2017-01-20T16:14:16.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -760,8 +769,8 @@ "rsa.time.event_time": "2017-02-03T23:16:50.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -781,8 +790,8 @@ "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -802,8 +811,8 @@ "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -846,8 +855,8 @@ ], "source.port": 3266, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -867,8 +876,8 @@ "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -888,8 +897,8 @@ "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -920,8 +929,8 @@ "10.237.163.139" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -956,8 +965,8 @@ ], "source.port": 1493, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -977,8 +986,8 @@ "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -997,8 +1006,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.16.72.220", - "10.111.187.12" + "10.111.187.12", + "10.16.72.220" ], "related.user": [ "tenbyCi" @@ -1011,8 +1020,8 @@ "source.nat.ip": "10.16.72.220", "source.nat.port": 1842, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ], "user.name": "tenbyCi" }, @@ -1033,8 +1042,8 @@ "rsa.time.event_time": "2017-06-26T21:42:33.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1056,8 +1065,8 @@ "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1078,8 +1087,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.143.76.137", - "10.131.61.13" + "10.131.61.13", + "10.143.76.137" ], "rsa.internal.messageid": "538", "rsa.misc.action": [ @@ -1094,8 +1103,8 @@ ], "source.port": 1414, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1137,8 +1146,8 @@ "source.nat.ip": "10.99.0.226", "source.nat.port": 2984, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1161,8 +1170,8 @@ "rsa.time.event_time": "2017-08-23T01:52:50.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1182,8 +1191,8 @@ "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1205,8 +1214,8 @@ "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1225,8 +1234,8 @@ "rsa.time.event_time": "2017-10-04T23:00:32.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1246,8 +1255,8 @@ "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1267,8 +1276,8 @@ "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1304,8 +1313,8 @@ ], "source.port": 2631, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1325,8 +1334,8 @@ "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1346,8 +1355,8 @@ "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1369,8 +1378,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.227.15.253", - "10.190.175.158" + "10.190.175.158", + "10.227.15.253" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "taevita", @@ -1382,8 +1391,8 @@ ], "source.port": 271, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1403,8 +1412,8 @@ "rsa.time.event_time": "2018-01-13T00:18:32.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1440,8 +1449,8 @@ ], "source.port": 1871, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1461,8 +1470,8 @@ "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1485,8 +1494,8 @@ "rsa.time.event_time": "2018-02-24T21:26:15.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1506,8 +1515,8 @@ "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1527,8 +1536,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.25.32.107", - "10.18.204.87" + "10.18.204.87", + "10.25.32.107" ], "related.user": [ "cteturad" @@ -1542,8 +1551,8 @@ "10.18.204.87" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ], "user.name": "cteturad" }, @@ -1571,9 +1580,15 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ +<<<<<<< HEAD "10.71.238.250", "10.21.89.175", "10.246.0.167" +======= + "10.21.89.175", + "10.246.0.167", + "10.71.238.250" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.event_desc": "elitse", "rsa.internal.messageid": "428", @@ -1595,8 +1610,8 @@ "source.mac": "01:00:5e:7c:42:0b", "source.port": 41, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1639,8 +1654,8 @@ ], "source.port": 2000, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1660,8 +1675,8 @@ "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1679,8 +1694,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.77.174.205", - "10.240.49.224" + "10.240.49.224", + "10.77.174.205" ], "rsa.internal.messageid": "240", "rsa.internal.msg": "issuscip", @@ -1690,8 +1705,8 @@ "service.type": "sonicwall", "source.nat.ip": "10.240.49.224", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1711,8 +1726,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.44.150.31", - "10.187.210.173" + "10.187.210.173", + "10.44.150.31" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "quamnih", @@ -1723,8 +1738,8 @@ "10.44.150.31" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1751,8 +1766,13 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.108.84.24", +<<<<<<< HEAD "10.251.248.228", "10.113.100.237" +======= + "10.113.100.237", + "10.251.248.228" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1773,8 +1793,8 @@ "source.mac": "01:00:5e:8b:c1:b4", "source.port": 3887, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1794,8 +1814,8 @@ "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1814,8 +1834,8 @@ "rsa.time.event_time": "2018-07-17T19:51:58.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1837,8 +1857,8 @@ "rsa.time.event_time": "2018-08-01T02:54:32.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1877,8 +1897,8 @@ ], "source.port": 3346, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1916,8 +1936,8 @@ ], "source.port": 1081, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1937,8 +1957,8 @@ "rsa.time.event_time": "2018-09-13T00:02:15.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1973,8 +1993,8 @@ "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -1994,8 +2014,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.240.54.28", - "10.115.38.80" + "10.115.38.80", + "10.240.54.28" ], "rsa.internal.messageid": "441", "rsa.internal.msg": "labor", @@ -2006,8 +2026,8 @@ "10.240.54.28" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2027,8 +2047,8 @@ "rsa.time.event_time": "2018-10-25T21:09:57.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2060,8 +2080,8 @@ "10.102.166.19" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2084,8 +2104,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.203.77.154", - "10.120.25.169" + "10.120.25.169", + "10.203.77.154" ], "rsa.internal.messageid": "199", "rsa.misc.action": [ @@ -2101,8 +2121,8 @@ ], "source.port": 3916, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2121,8 +2141,8 @@ "rsa.time.event_time": "2018-12-07T18:17:40.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2142,8 +2162,8 @@ "rsa.time.event_time": "2018-12-22T01:20:14.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2178,8 +2198,8 @@ ], "source.port": 2310, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2198,8 +2218,8 @@ "rsa.time.event_time": "2019-01-19T15:25:23.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2229,8 +2249,8 @@ "source.nat.ip": "10.165.48.224", "source.nat.port": 5386, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2252,8 +2272,8 @@ "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2284,8 +2304,8 @@ "source.nat.ip": "10.185.37.32", "source.nat.port": 708, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2316,8 +2336,8 @@ "source.nat.ip": "10.219.42.212", "source.nat.port": 5708, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2356,8 +2376,8 @@ ], "source.port": 2737, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2401,8 +2421,8 @@ "10.132.171.15" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2422,8 +2442,8 @@ "rsa.time.event_time": "2019-04-29T16:43:23.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2455,8 +2475,8 @@ "10.135.70.159" ], "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2494,8 +2514,8 @@ ], "source.port": 1865, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ], "user.name": "usmo" }, @@ -2516,8 +2536,8 @@ "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2537,8 +2557,8 @@ "rsa.time.event_time": "2019-06-25T20:53:40.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2557,8 +2577,8 @@ "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2578,8 +2598,8 @@ "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2610,8 +2630,8 @@ "source.nat.ip": "10.56.10.84", "source.nat.port": 5366, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2633,8 +2653,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.222.169.140", - "10.117.63.181" + "10.117.63.181", + "10.222.169.140" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2646,8 +2666,8 @@ ], "source.port": 5299, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2670,8 +2690,8 @@ "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2690,8 +2710,8 @@ "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2734,8 +2754,8 @@ ], "source.port": 239, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2755,8 +2775,8 @@ "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2786,8 +2806,8 @@ "source.nat.ip": "10.206.229.61", "source.nat.port": 3467, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2807,8 +2827,8 @@ "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2831,8 +2851,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.167.9.200", - "10.119.4.120" + "10.119.4.120", + "10.167.9.200" ], "rsa.internal.messageid": "520", "rsa.internal.msg": "itse", @@ -2846,8 +2866,8 @@ ], "source.port": 4003, "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] }, { @@ -2869,8 +2889,8 @@ "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "sonicwall", "tags": [ - "sonicwall.firewall", - "forwarded" + "forwarded", + "sonicwall.firewall" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index 944ddf2f6f5..325298c2344 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -17,8 +17,8 @@ "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -60,8 +60,13 @@ ], "related.user": [ "dexeac", +<<<<<<< HEAD "sunt", "icistatuscode=giatquov" +======= + "icistatuscode=giatquov", + "sunt" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "run", "rsa.identity.logon_type": "nofdeF", @@ -100,8 +105,8 @@ "source.mac": "01:00:5e:1d:c1:c0", "source.port": 2289, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "mail.example.net", "url.extension": "html", @@ -142,8 +147,8 @@ "rsa.time.event_time": "2016-02-26T22:15:08.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -191,8 +196,8 @@ "10.106.239.55" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "itquiin" }, @@ -225,8 +230,8 @@ "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -247,8 +252,8 @@ "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -270,8 +275,8 @@ "rsa.time.event_time": "2016-04-24T02:25:25.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -310,8 +315,8 @@ "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -338,8 +343,8 @@ "rsa.time.event_time": "2016-05-22T16:30:33.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -369,8 +374,8 @@ "rsa.time.event_time": "2016-06-05T23:33:08.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -403,8 +408,8 @@ "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -435,8 +440,8 @@ "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -471,8 +476,8 @@ "service.name": "col", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "agnaaliq" }, @@ -494,8 +499,8 @@ "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -529,8 +534,8 @@ ], "source.port": 6676, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -561,8 +566,8 @@ "rsa.time.event_time": "2016-08-30T17:48:33.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -595,8 +600,8 @@ "rsa.time.event_time": "2016-09-14T00:51:07.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -617,8 +622,8 @@ "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -666,8 +671,8 @@ "10.54.169.175" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "scipit" }, @@ -697,8 +702,8 @@ "service.name": "aeabillo", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "eruntmo" }, @@ -727,8 +732,8 @@ ], "source.port": 6195, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -761,8 +766,8 @@ "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -801,8 +806,8 @@ "rsa.time.event_time": "2016-12-08T19:06:33.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -829,8 +834,8 @@ "rsa.time.event_time": "2016-12-23T02:09:07.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -864,8 +869,8 @@ ], "source.port": 4713, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -922,8 +927,8 @@ "source.mac": "01:00:5e:15:3a:74", "source.port": 7807, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -956,8 +961,8 @@ "rsa.time.event_time": "2017-02-03T23:16:50.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -999,8 +1004,8 @@ "10.232.108.32" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "llum" }, @@ -1044,8 +1049,13 @@ ], "related.user": [ "pteurs", +<<<<<<< HEAD "tio", "tcustatuscode=eumiu" +======= + "tcustatuscode=eumiu", + "tio" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "eavolupt", "rsa.identity.logon_type": "ursintoc", @@ -1087,8 +1097,8 @@ "source.mac": "01:00:5e:6f:71:02", "source.port": 5334, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "mail.example.net", "url.extension": "txt", @@ -1131,8 +1141,8 @@ "service.name": "dminimve", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "uptate" }, @@ -1159,8 +1169,8 @@ "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.path": "atcupi" }, @@ -1184,8 +1194,8 @@ "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1212,8 +1222,8 @@ "rsa.time.event_time": "2017-04-30T17:32:16.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1246,8 +1256,8 @@ "rsa.time.event_time": "2017-05-15T00:34:50.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "www5.example.com", "url.extension": "htm", @@ -1278,8 +1288,8 @@ "service.name": "oNemoeni", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1309,8 +1319,8 @@ "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1350,8 +1360,8 @@ "rsa.time.event_time": "2017-06-26T21:42:33.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1383,8 +1393,8 @@ "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.path": "sitv" }, @@ -1421,8 +1431,8 @@ ], "source.port": 5794, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1455,8 +1465,8 @@ "10.230.4.70" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1484,8 +1494,8 @@ "rsa.time.event_time": "2017-08-23T01:52:50.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1512,8 +1522,8 @@ "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1546,8 +1556,8 @@ "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1570,8 +1580,8 @@ "rsa.time.event_time": "2017-10-04T23:00:32.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1604,8 +1614,8 @@ "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1628,8 +1638,8 @@ "10.244.96.61" ], "related.user": [ - "iumt", - "itsedqui" + "itsedqui", + "iumt" ], "rsa.identity.logon_type": "psamvolu", "rsa.internal.event_desc": "orroqui", @@ -1647,8 +1657,8 @@ "10.244.96.61" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "itsedqui" }, @@ -1675,8 +1685,8 @@ "rsa.time.event_time": "2017-11-16T20:08:15.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1710,8 +1720,8 @@ "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1738,8 +1748,8 @@ "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1771,8 +1781,8 @@ "rsa.time.event_time": "2017-12-29T17:15:58.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1805,8 +1815,8 @@ "rsa.time.event_time": "2018-01-13T00:18:32.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1831,8 +1841,8 @@ "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -1914,8 +1924,8 @@ "source.mac": "01:00:5e:65:2d:fe", "source.port": 4562, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "api.example.org", "url.extension": "txt", @@ -1974,8 +1984,8 @@ "source.mac": "01:00:5e:78:1a:5a", "source.port": 6585, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2014,8 +2024,8 @@ "rsa.time.process_time": "volup", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2049,18 +2059,25 @@ "observer.vendor": "Sophos", "observer.version": "1.2707", "related.hosts": [ - "tenima5715.api.example", - "iusmo901.www.home" + "iusmo901.www.home", + "tenima5715.api.example" ], "related.ip": [ - "10.92.93.236", - "10.2.24.156" + "10.2.24.156", + "10.92.93.236" ], "related.user": [ +<<<<<<< HEAD "dolorsistatuscode=acc", "Sedutper", "ulpaq", "ntoccae" +======= + "Sedutper", + "dolorsistatuscode=acc", + "ntoccae", + "ulpaq" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "snisiut", "rsa.identity.logon_type": "umdol", @@ -2103,8 +2120,8 @@ "source.mac": "01:00:5e:34:8c:d2", "source.port": 6938, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "www.example.org", "url.extension": "jpg", @@ -2152,13 +2169,13 @@ "mni4032.lan" ], "related.ip": [ - "10.202.65.2", - "10.180.169.49" + "10.180.169.49", + "10.202.65.2" ], "related.user": [ - "tasu", "atatno", - "iscivelistatuscode=urve" + "iscivelistatuscode=urve", + "tasu" ], "rsa.db.index": "amrem", "rsa.identity.logon_type": "nulamcol", @@ -2197,8 +2214,8 @@ "source.mac": "01:00:5e:1a:03:f5", "source.port": 3308, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "mail.example.net", "url.extension": "html", @@ -2239,8 +2256,8 @@ "rsa.time.event_time": "2018-04-23T01:36:32.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2278,8 +2295,8 @@ "rule.name": "nidolo", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.path": "uaUteni" }, @@ -2314,8 +2331,8 @@ "10.194.12.83" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2356,9 +2373,15 @@ "10.45.12.53" ], "related.user": [ +<<<<<<< HEAD "porincid", "umqustatuscode=ntexpli", "eturadip" +======= + "eturadip", + "porincid", + "umqustatuscode=ntexpli" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "rsa.db.index": "dolor", "rsa.identity.logon_type": "eturadi", @@ -2397,8 +2420,8 @@ "source.mac": "01:00:5e:a1:a3:9f", "source.port": 1455, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "www5.example.org", "url.extension": "jpg", @@ -2434,8 +2457,8 @@ ], "source.port": 2274, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2468,8 +2491,8 @@ "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.path": "ectetu" }, @@ -2501,8 +2524,8 @@ "rsa.time.event_time": "2018-07-17T19:51:58.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2525,8 +2548,8 @@ "10.32.85.21" ], "related.user": [ - "etconsec", - "antium" + "antium", + "etconsec" ], "rsa.identity.logon_type": "umiurere", "rsa.internal.event_desc": "serro", @@ -2544,8 +2567,8 @@ "10.32.85.21" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "antium" }, @@ -2573,8 +2596,8 @@ "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2607,8 +2630,8 @@ "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2634,8 +2657,8 @@ "rsa.time.event_time": "2018-09-13T00:02:15.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2719,8 +2742,8 @@ "source.mac": "01:00:5e:0e:b3:8e", "source.port": 1125, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.domain": "internal.example.com", "url.extension": "jpg", @@ -2728,8 +2751,8 @@ "url.original": "https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq", "url.path": "/ritat/dipi.jpg", "url.query": [ - "iatquovo", - "aliquide=aliqui" + "aliquide=aliqui", + "iatquovo" ], "url.scheme": "https", "user.name": "reetd" @@ -2759,8 +2782,8 @@ "itametc1599.api.test" ], "related.ip": [ - "10.133.45.45", - "10.115.166.48" + "10.115.166.48", + "10.133.45.45" ], "rsa.internal.event_desc": "Authentication", "rsa.internal.messageid": "ulogd", @@ -2788,8 +2811,8 @@ "source.mac": "01:00:5e:5a:9d:a9", "source.port": 4180, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2816,8 +2839,8 @@ "rsa.time.event_time": "2018-10-25T21:09:57.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2851,8 +2874,8 @@ ], "source.port": 3506, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2873,8 +2896,8 @@ "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2907,8 +2930,8 @@ "rsa.time.event_time": "2018-12-07T18:17:40.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2939,8 +2962,8 @@ "rsa.time.event_time": "2018-12-22T01:20:14.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -2961,8 +2984,8 @@ "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3000,8 +3023,8 @@ "rule.name": "uat", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.path": "turvelil" }, @@ -3034,8 +3057,8 @@ "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3067,8 +3090,8 @@ "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3108,8 +3131,8 @@ "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3141,8 +3164,8 @@ "rsa.time.event_time": "2019-03-17T19:35:40.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3163,8 +3186,8 @@ "rsa.time.event_time": "2019-04-01T02:38:14.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3191,8 +3214,8 @@ "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3233,8 +3256,8 @@ "rule.name": "uipex", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "url.path": "ercitati" }, @@ -3267,8 +3290,8 @@ "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3294,8 +3317,8 @@ "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3320,8 +3343,8 @@ "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3349,8 +3372,8 @@ "10.165.217.56" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3381,8 +3404,8 @@ "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3415,8 +3438,8 @@ "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3452,8 +3475,8 @@ "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3486,8 +3509,8 @@ "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3515,8 +3538,8 @@ "imv1805.api.host" ], "related.ip": [ - "10.96.243.231", - "10.248.62.55" + "10.248.62.55", + "10.96.243.231" ], "rsa.internal.event_desc": "ICMP", "rsa.internal.messageid": "ulogd", @@ -3544,8 +3567,8 @@ "source.mac": "01:00:5e:87:02:08", "source.port": 5632, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3584,8 +3607,8 @@ "rsa.time.process_time": "cipitlab", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3606,8 +3629,8 @@ "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3647,8 +3670,8 @@ ], "source.port": 5342, "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3690,8 +3713,8 @@ "10.96.200.83" ], "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ], "user.name": "acommod" }, @@ -3719,8 +3742,8 @@ "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3744,8 +3767,8 @@ "service.name": "rnatu", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] }, { @@ -3772,8 +3795,8 @@ "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "sophos", "tags": [ - "sophos.utm", - "forwarded" + "forwarded", + "sophos.utm" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index 044a0b01f33..b8617119a8f 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -58,8 +58,8 @@ "source.port": 0, "source.user.email": "firewall@firewallgate.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -147,8 +147,8 @@ "source.port": 52742, "source.user.email": "telekommunikation@constant-big.email", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -184,9 +184,9 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -238,8 +238,8 @@ "source.port": 51789, "source.user.email": "ripxfc@17buddies.net", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -275,9 +275,9 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -326,8 +326,8 @@ "source.port": 55002, "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -353,9 +353,9 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -397,8 +397,8 @@ "source.port": 22420, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -424,9 +424,9 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -468,8 +468,8 @@ "source.port": 58043, "source.user.email": "pankhil@postman.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -495,9 +495,9 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -539,8 +539,8 @@ "source.port": 60134, "source.user.email": "pankhil@postman.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -608,8 +608,8 @@ "source.port": 60298, "source.user.email": "pankhil@postman.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -634,9 +634,9 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -674,8 +674,8 @@ "source.ip": "10.198.16.121", "source.port": 60392, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -701,9 +701,9 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -744,8 +744,8 @@ "source.port": 60608, "source.user.email": "pankhil1@postman.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -771,9 +771,9 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -816,8 +816,8 @@ "source.port": 22333, "source.user.email": "gaurav1@iview.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index 8ab666cc94b..4a59a7c7925 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -31,9 +31,9 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -50,8 +50,8 @@ "some_other_host.local" ], "related.ip": [ - "172.16.34.24", - "13.226.155.93" + "13.226.155.93", + "172.16.34.24" ], "rule.id": "2", "server.bytes": 1616, @@ -73,8 +73,8 @@ "source.ip": "172.16.34.24", "source.port": 57695, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "sophostest.com", "url.extension": "pdf", @@ -115,9 +115,9 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -134,8 +134,8 @@ "my_fancy_host" ], "related.ip": [ - "172.16.34.24", - "13.226.155.18" + "13.226.155.18", + "172.16.34.24" ], "rule.id": "2", "server.bytes": 553, @@ -157,8 +157,8 @@ "source.ip": "172.16.34.24", "source.port": 57835, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "sophostest.com", "url.extension": "html", @@ -197,9 +197,9 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -215,8 +215,8 @@ "some_other_host.local" ], "related.ip": [ - "82.165.194.211", - "186.8.209.194" + "186.8.209.194", + "82.165.194.211" ], "rule.id": "22", "server.bytes": 0, @@ -250,8 +250,8 @@ "source.port": 56336, "source.user.email": "info@farasamed.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "farasamed.com" }, @@ -285,9 +285,9 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -303,8 +303,8 @@ "my_fancy_host" ], "related.ip": [ - "23.254.247.78", - "185.7.209.194" + "185.7.209.194", + "23.254.247.78" ], "rule.id": "22", "server.bytes": 0, @@ -341,8 +341,8 @@ "source.port": 54693, "source.user.email": "spedizioni@divella.it", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "divella.it" }, @@ -369,9 +369,9 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -415,8 +415,8 @@ "source.port": 56653, "source.user.email": "pankhil@postman.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "postman.local" }, @@ -443,9 +443,9 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -489,8 +489,8 @@ "source.port": 56632, "source.user.email": "pankhil@postman.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "postman.local" }, @@ -516,9 +516,9 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", @@ -562,8 +562,8 @@ "source.ip": "10.146.13.49", "source.port": 39910, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -629,8 +629,8 @@ "source.ip": "10.146.13.49", "source.port": 39936, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 969ca99d793..7db8e56d00f 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -27,8 +27,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -66,8 +66,8 @@ "source.port": 22623, "source.user.name": "jsmith", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.original": "46.161.30.47" }, @@ -102,8 +102,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -119,8 +119,8 @@ "my_fancy_host" ], "related.ip": [ - "172.16.34.24", - "13.226.155.22" + "13.226.155.22", + "172.16.34.24" ], "server.ip": "13.226.155.22", "server.port": 80, @@ -137,8 +137,8 @@ "source.ip": "172.16.34.24", "source.port": 57579, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "sophostest.com", "url.extension": "html", @@ -177,8 +177,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -194,8 +194,8 @@ "some_other_host.local" ], "related.ip": [ - "172.16.34.24", - "13.226.155.22" + "13.226.155.22", + "172.16.34.24" ], "server.ip": "13.226.155.22", "server.port": 80, @@ -212,8 +212,8 @@ "source.ip": "172.16.34.24", "source.port": 57540, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "sophostest.com", "url.extension": "html", @@ -249,8 +249,8 @@ "event.severity": "5", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -284,8 +284,8 @@ "source.ip": "10.198.32.89", "source.port": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.original": "82.211.30.202" } diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index 3194c309b5b..9b6015900c7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -67,8 +67,8 @@ "source.user.group.name": "Open Group", "source.user.name": "jsmith", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/", @@ -106,9 +106,9 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -124,8 +124,8 @@ "firewall.localgroup.local" ], "related.ip": [ - "5.5.5.15", - "216.58.197.44" + "216.58.197.44", + "5.5.5.15" ], "server.ip": "216.58.197.44", "server.port": 80, @@ -151,8 +151,8 @@ "source.ip": "5.5.5.15", "source.port": 46719, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "hanuman.com", "url.full": "http://hanuman.com/", @@ -187,9 +187,9 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -238,8 +238,8 @@ "source.ip": "5.5.5.15", "source.port": 49128, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -289,8 +289,8 @@ "my_fancy_host" ], "related.ip": [ - "172.17.34.10", - "13.79.168.201" + "13.79.168.201", + "172.17.34.10" ], "server.ip": "13.79.168.201", "server.port": 443, @@ -311,8 +311,8 @@ "source.ip": "172.17.34.10", "source.port": 62851, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "his-eur1-neur1.servicebus.windows.net", "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket", @@ -350,9 +350,9 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "info", + "connection", "denied", - "connection" + "info" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -391,8 +391,8 @@ "source.ip": "172.16.34.15", "source.port": 60471, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "40.90.137.127", "url.full": "https://40.90.137.127/", @@ -470,8 +470,8 @@ "source.ip": "172.17.34.15", "source.port": 65391, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "update.eset.com", "url.extension": "signed", @@ -531,8 +531,8 @@ "sophos.xg.website": "ta-web-static-testing.qa. astaro.de", "source.ip": "10.108.108.49", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -604,8 +604,8 @@ "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "www.google.com", "url.full": "http://www.google.com/", @@ -684,8 +684,8 @@ "source.user.group.name": "Clientless Open Group", "source.user.name": "rich", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.domain": "www.google.ca", "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw", diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index f08587eaa91..18717948cc2 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -14,8 +14,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "user", - "start" + "start", + "user" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -51,8 +51,8 @@ "source.user.group.name": "Open Group", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "user.name": "elastic.user@elastic.test.com" }, @@ -88,8 +88,8 @@ "my_fancy_host" ], "related.ip": [ - "83.20.132.250", - "214.167.51.66" + "214.167.51.66", + "83.20.132.250" ], "related.user": [ "elastic.user@elastic.test.com" @@ -121,8 +121,8 @@ "source.ip": "83.20.132.250", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -158,8 +158,8 @@ "sophos.xg.priority": "Error", "sophos.xg.status": "Expire", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -177,8 +177,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "user", - "start" + "start", + "user" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -222,8 +222,8 @@ "source.ip": "83.9.140.96", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "user.name": "elastic.user@elastic.test.com" }, @@ -268,8 +268,8 @@ "sophos.xg.priority": "Notice", "sophos.xg.status": "Successful", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -306,8 +306,8 @@ "sophos.xg.raw_data": "192.168.110.10", "sophos.xg.status": "Expire", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -325,8 +325,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "user", - "start" + "start", + "user" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -370,8 +370,8 @@ "source.ip": "217.250.157.135", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "user.name": "elastic.user@elastic.test.com" }, @@ -420,8 +420,8 @@ "source.bytes": 0, "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -481,8 +481,8 @@ "source.ip": "91.67.201.4", "source.user.name": "hendrikl", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "user.name": "hendrikl" }, @@ -520,8 +520,8 @@ "sophos.xg.priority": "Notice", "sophos.xg.status": "Successful", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -566,8 +566,8 @@ "source.ip": "10.83.234.5", "source.user.name": "admin", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -617,8 +617,8 @@ "source.ip": "172.66.35.15", "source.user.name": "root", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -655,8 +655,8 @@ "sophos.xg.priority": "Notice", "sophos.xg.status": "Successful", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -691,8 +691,8 @@ "sophos.xg.message_id": "17923", "sophos.xg.priority": "Information", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -701,8 +701,8 @@ "client.ip": "10.84.234.38", "destination.bytes": 0, "event.category": [ - "network", - "authentication" + "authentication", + "network" ], "event.code": "062910617703", "event.dataset": "sophos.xg", @@ -713,9 +713,9 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "user", + "connection", "end", - "connection" + "user" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -754,8 +754,8 @@ "source.user.group.name": "VPN.SSL.Users.elastic", "source.user.name": "elastic.user@elastic.test.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "user.name": "elastic.user@elastic.test.com" }, @@ -801,8 +801,8 @@ "sophos.xg.status": "Connected", "source.bytes": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -847,8 +847,8 @@ "sophos.xg.status": "Disconnected", "source.bytes": 22368, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -893,8 +893,8 @@ "sophos.xg.status": "Interim", "source.bytes": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -931,8 +931,8 @@ "sophos.xg.status": "Success", "sophos.xg.updatedip": "10.198.232.86", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index 35557e557da..d441f78dbfd 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -38,9 +38,9 @@ "event.start": "2020-05-18T14:38:37.000-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -65,8 +65,8 @@ ], "related.ip": [ "172.17.34.15", - "91.228.167.86", - "213.167.51.66" + "213.167.51.66", + "91.228.167.86" ], "rule.id": "21", "rule.ruleset": "1", @@ -112,8 +112,8 @@ "source.packets": 6, "source.port": 62841, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -155,9 +155,9 @@ "event.start": "2020-05-18T14:38:38.000-02:00", "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -182,8 +182,8 @@ ], "related.ip": [ "172.16.66.155", - "91.228.165.117", - "185.8.209.194" + "185.8.209.194", + "91.228.165.117" ], "rule.id": "67", "rule.ruleset": "1", @@ -232,8 +232,8 @@ "source.packets": 0, "source.port": 49144, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -265,8 +265,8 @@ "event.start": "2020-05-18T14:38:39.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -319,8 +319,8 @@ "source.packets": 0, "source.port": 53287, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -351,8 +351,8 @@ "event.start": "2020-05-18T14:38:40.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -409,8 +409,8 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -449,8 +449,8 @@ "event.start": "2020-05-18T14:38:41.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -469,8 +469,8 @@ "some_other_host.local" ], "related.ip": [ - "51.77.56.9", - "185.7.209.207" + "185.7.209.207", + "51.77.56.9" ], "rule.id": "0", "rule.ruleset": "0", @@ -512,8 +512,8 @@ "source.packets": 0, "source.port": 55039, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -545,8 +545,8 @@ "event.start": "2020-05-18T14:38:42.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -604,8 +604,8 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -638,8 +638,8 @@ "event.start": "2020-05-18T14:38:43.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -658,8 +658,8 @@ "some_other_host.local" ], "related.ip": [ - "172.16.36.105", - "10.84.234.14" + "10.84.234.14", + "172.16.36.105" ], "rule.id": "0", "rule.ruleset": "0", @@ -691,8 +691,8 @@ "source.packets": 0, "source.port": 3389, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -723,8 +723,8 @@ "event.start": "2020-05-18T14:38:44.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -743,8 +743,8 @@ "my_fancy_host" ], "related.ip": [ - "10.82.234.9", - "10.82.234.11" + "10.82.234.11", + "10.82.234.9" ], "rule.id": "0", "rule.ruleset": "0", @@ -775,8 +775,8 @@ "source.packets": 0, "source.port": 58331, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -808,9 +808,9 @@ "event.start": "2020-05-18T14:38:45.000-02:00", "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -875,8 +875,8 @@ "source.user.group.name": "elastic.group.local", "source.user.name": "elastic@user.local", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -906,9 +906,9 @@ "event.start": "2020-05-18T14:38:45.000-02:00", "event.timezone": "-02:00", "event.type": [ - "start", "allowed", - "connection" + "connection", + "start" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -927,8 +927,8 @@ "some_other_host.local" ], "related.ip": [ - "192.168.1.254", - "172.17.32.19" + "172.17.32.19", + "192.168.1.254" ], "rule.id": "60", "rule.ruleset": "1", @@ -962,8 +962,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -994,9 +994,9 @@ "event.start": "2020-06-05T12:38:53.000-02:00", "event.timezone": "-02:00", "event.type": [ - "end", "allowed", - "connection" + "connection", + "end" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -1017,8 +1017,8 @@ "some_other_host.local" ], "related.ip": [ - "172.17.35.119", - "172.16.34.10" + "172.16.34.10", + "172.17.35.119" ], "rule.id": "60", "rule.ruleset": "1", @@ -1053,8 +1053,8 @@ "source.packets": 6, "source.port": 61925, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1092,8 +1092,8 @@ "event.start": "2018-05-30T13:26:37.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1143,8 +1143,8 @@ "source.packets": 0, "source.port": 1353, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1175,8 +1175,8 @@ "event.start": "2018-06-04T17:20:24.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1224,8 +1224,8 @@ "source.packets": 0, "source.port": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1257,8 +1257,8 @@ "event.start": "2018-05-30T14:01:32.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1309,8 +1309,8 @@ "source.packets": 0, "source.port": 137, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1343,8 +1343,8 @@ "event.start": "2018-05-30T14:17:17.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1395,8 +1395,8 @@ "source.packets": 0, "source.port": 41960, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1425,8 +1425,8 @@ "event.start": "2018-06-05T14:30:31.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1444,8 +1444,8 @@ "firewall.localgroup.local" ], "related.ip": [ - "10.198.37.23", - "10.198.36.48" + "10.198.36.48", + "10.198.37.23" ], "rule.id": "0", "rule.ruleset": "0", @@ -1475,8 +1475,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1515,8 +1515,8 @@ "event.start": "2018-05-31T17:05:14.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1565,8 +1565,8 @@ "source.packets": 0, "source.port": 1571, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1598,8 +1598,8 @@ "event.start": "2018-05-30T15:09:51.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1650,8 +1650,8 @@ "source.packets": 0, "source.port": 546, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1681,8 +1681,8 @@ "event.start": "2018-06-01T10:57:55.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1701,8 +1701,8 @@ "firewall.localgroup.local" ], "related.ip": [ - "10.198.37.57", - "10.198.32.19" + "10.198.32.19", + "10.198.37.57" ], "rule.id": "16", "rule.ruleset": "1", @@ -1734,8 +1734,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -1776,8 +1776,8 @@ "event.start": "2018-06-01T10:55:41.000-02:00", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -1829,8 +1829,8 @@ "source.nat.port": 0, "source.packets": 0, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index 2dcaffd634e..59caeaab67d 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -19,8 +19,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -36,8 +36,8 @@ "my_fancy_host" ], "related.ip": [ - "89.40.182.58", - "172.16.68.20" + "172.16.68.20", + "89.40.182.58" ], "rule.category": "access to a potentially vulnerable web application", "rule.id": "1881", @@ -70,8 +70,8 @@ "source.ip": "89.40.182.58", "source.port": 41528, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -94,8 +94,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -147,8 +147,8 @@ "source.ip": "117.50.11.192", "source.port": 58914, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -171,8 +171,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -188,8 +188,8 @@ "some_other_host.local" ], "related.ip": [ - "77.61.185.101", - "172.16.68.20" + "172.16.68.20", + "77.61.185.101" ], "rule.category": "Web Application Attack", "rule.id": "53589", @@ -222,8 +222,8 @@ "source.ip": "77.61.185.101", "source.port": 59476, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -246,8 +246,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -290,8 +290,8 @@ "source.ip": "10.0.0.168", "source.port": 28938, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -314,8 +314,8 @@ "event.severity": "4", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "firewall.localgroup.local", @@ -358,8 +358,8 @@ "source.ip": "10.0.1.31", "source.port": 40140, "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json index acae45ad376..a112d1dc23e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -15,8 +15,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "file.size": 0, "fileset.name": "xg", @@ -41,8 +41,8 @@ "sophos.xg.priority": "Information", "sophos.xg.reason": "eligible", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -62,8 +62,8 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", "file.mime_type": "application/octet-stream", @@ -103,8 +103,8 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith@iview.com", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -123,8 +123,8 @@ "event.timezone": "-02:00", "event.type": [ "allowed", - "end", - "connection" + "connection", + "end" ], "file.size": 0, "fileset.name": "xg", @@ -149,8 +149,8 @@ "sophos.xg.priority": "Information", "sophos.xg.reason": "eligible", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -169,8 +169,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "start", - "connection" + "connection", + "start" ], "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", "file.mime_type": "application/octet-stream", @@ -210,8 +210,8 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -231,8 +231,8 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", "file.mime_type": "application/octet-stream", @@ -272,8 +272,8 @@ "source.ip": "10.198.47.112", "source.user.name": "jsmith", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -293,8 +293,8 @@ "event.severity": "2", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", "file.mime_type": "application/pdf", @@ -330,8 +330,8 @@ "sophos.xg.source": "sophostest.com", "source.ip": "172.16.34.24", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index 9950baa2a62..6b8458c29a5 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -28,8 +28,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -46,8 +46,8 @@ "my_fancy_host" ], "related.ip": [ - "89.68.140.204", - "185.8.209.207" + "185.8.209.207", + "89.68.140.204" ], "server.bytes": 5669, "server.ip": "185.8.209.207", @@ -77,8 +77,8 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.full": "/mapi/nspi/", "url.original": "/mapi/nspi/", @@ -114,8 +114,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -132,8 +132,8 @@ "some_other_host.local" ], "related.ip": [ - "89.68.140.204", - "185.8.209.207" + "185.8.209.207", + "89.68.140.204" ], "server.bytes": 1357, "server.ip": "185.8.209.207", @@ -164,8 +164,8 @@ "source.geo.region_name": "Pomerania", "source.ip": "89.68.140.204", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.full": "/mapi/nspi/", "url.original": "/mapi/nspi/", @@ -192,8 +192,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -210,8 +210,8 @@ "some_other_host.local" ], "related.ip": [ - "10.198.235.254", - "10.198.233.48" + "10.198.233.48", + "10.198.235.254" ], "related.user": [ "jsmith" @@ -236,8 +236,8 @@ "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.full": "/", "url.original": "/", @@ -264,8 +264,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "my_fancy_host", @@ -283,8 +283,8 @@ "my_fancy_host" ], "related.ip": [ - "10.198.235.254", - "10.198.233.48" + "10.198.233.48", + "10.198.235.254" ], "related.user": [ "jsmith" @@ -311,8 +311,8 @@ "source.ip": "10.198.235.254", "source.user.name": "jsmith", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.extension": "zip", "url.full": "/download/eicarcom2.zip", @@ -347,8 +347,8 @@ "event.severity": "6", "event.timezone": "-02:00", "event.type": [ - "denied", - "connection" + "connection", + "denied" ], "fileset.name": "xg", "host.name": "some_other_host.local", @@ -365,8 +365,8 @@ "some_other_host.local" ], "related.ip": [ - "83.97.20.30", - "216.167.51.72" + "216.167.51.72", + "83.97.20.30" ], "server.bytes": 5353, "server.ip": "216.167.51.72", @@ -398,8 +398,8 @@ "source.geo.region_name": "Bucuresti", "source.ip": "83.97.20.30", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ], "url.full": "/", "url.original": "/", diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json index 0568deab20f..d934c831d2a 100644 --- a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -33,8 +33,8 @@ "sophos.xg.priority": "Information", "sophos.xg.ssid": "SPIDIGO2015", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] }, { @@ -71,8 +71,8 @@ "sophos.xg.priority": "Information", "sophos.xg.ssid": "SPIDIGO2015", "tags": [ - "sophos-xg", - "forwarded" + "forwarded", + "sophos-xg" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 037d59010c3..80a0e805968 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -57,8 +57,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", @@ -129,8 +129,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/", @@ -204,8 +204,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "css", @@ -266,8 +266,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "css", @@ -328,8 +328,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.google-analytics.com", "url.extension": "js", @@ -383,8 +383,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -403,8 +403,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/", @@ -475,8 +475,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.google-analytics.com", "url.extension": "gif", @@ -552,8 +552,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "gif", @@ -596,8 +596,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -608,8 +608,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -628,8 +628,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "jpg", @@ -672,8 +672,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -704,8 +704,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "gif", @@ -766,8 +766,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "gif", @@ -810,8 +810,8 @@ "as.casalemedia.com" ], "related.ip": [ - "209.85.16.38", - "10.105.21.199" + "10.105.21.199", + "209.85.16.38" ], "related.user": [ "badeyek" @@ -842,8 +842,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "as.casalemedia.com", "url.original": "http://as.casalemedia.com/s?", @@ -891,8 +891,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -911,8 +911,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.bc.yahoo.com", "url.original": "us.bc.yahoo.com:443", @@ -949,8 +949,8 @@ "impgb.tradedoubler.com" ], "related.ip": [ - "217.212.240.172", - "10.105.21.199" + "10.105.21.199", + "217.212.240.172" ], "related.user": [ "badeyek" @@ -961,8 +961,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -981,8 +981,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "impgb.tradedoubler.com", "url.original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", @@ -1024,8 +1024,8 @@ "4.adbrite.com" ], "related.ip": [ - "206.169.136.22", - "10.105.21.199" + "10.105.21.199", + "206.169.136.22" ], "related.user": [ "badeyek" @@ -1036,8 +1036,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1056,8 +1056,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "4.adbrite.com", "url.extension": "php", @@ -1119,8 +1119,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "gif", @@ -1175,8 +1175,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1195,8 +1195,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "gif", @@ -1271,8 +1271,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.goonernews.com", "url.extension": "gif", @@ -1342,8 +1342,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "4.adbrite.com", "url.extension": "php", @@ -1387,8 +1387,8 @@ "ff.connextra.com" ], "related.ip": [ - "213.160.98.161", - "10.105.21.199" + "10.105.21.199", + "213.160.98.161" ], "related.user": [ "badeyek" @@ -1419,8 +1419,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "ff.connextra.com", "url.original": "http://ff.connextra.com/Ladbrokes/selector/image?", @@ -1495,8 +1495,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "dd.connextra.com", "url.original": "http://dd.connextra.com/servlet/controller?", @@ -1555,8 +1555,8 @@ "10.105.47.218" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", @@ -1604,8 +1604,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1624,8 +1624,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", @@ -1663,8 +1663,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1683,8 +1683,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "update.messenger.yahoo.com", "url.extension": "html", @@ -1754,8 +1754,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", @@ -1796,8 +1796,8 @@ "hi5.com" ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1827,8 +1827,8 @@ "10.105.47.218" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", @@ -1869,8 +1869,8 @@ "hi5.com" ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1881,8 +1881,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1900,8 +1900,8 @@ "10.105.47.218" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "hi5.com", "url.extension": "css", @@ -1939,8 +1939,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1950,8 +1950,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1970,8 +1970,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", @@ -2011,8 +2011,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2031,8 +2031,8 @@ "10.105.37.58" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "rms.adobe.com", "url.extension": "xml", @@ -2093,8 +2093,8 @@ "10.105.47.218" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "images.hi5.com", "url.extension": "css", @@ -2155,8 +2155,8 @@ "10.105.47.218" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "images.hi5.com", "url.extension": "css", @@ -2198,8 +2198,8 @@ "hi5.com" ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -2229,8 +2229,8 @@ "10.105.47.218" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", @@ -2271,8 +2271,8 @@ "hi5.com" ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -2302,8 +2302,8 @@ "10.105.47.218" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "hi5.com", "url.extension": "css", @@ -2341,8 +2341,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2372,8 +2372,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", @@ -2409,8 +2409,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2441,8 +2441,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/?", @@ -2482,8 +2482,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2494,8 +2494,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2514,8 +2514,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "asp", @@ -2585,8 +2585,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", @@ -2655,8 +2655,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "address.yahoo.com", "url.original": "http://address.yahoo.com/yab/us?", @@ -2699,8 +2699,8 @@ "fxfeeds.mozilla.org" ], "related.ip": [ - "63.245.209.21", - "10.105.21.199" + "10.105.21.199", + "63.245.209.21" ], "related.user": [ "badeyek" @@ -2731,8 +2731,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "fxfeeds.mozilla.org", "url.extension": "xml", @@ -2771,8 +2771,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "68.142.231.252", - "10.105.33.214" + "10.105.33.214", + "68.142.231.252" ], "related.user": [ "adeolaegbedokun" @@ -2803,8 +2803,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/?", @@ -2853,8 +2853,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2873,8 +2873,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/?", @@ -2933,8 +2933,8 @@ "10.105.37.17" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", @@ -2971,8 +2971,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2991,8 +2991,8 @@ "10.105.37.17" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.extension": "asp", @@ -3052,8 +3052,8 @@ "10.105.37.17" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.extension": "asp", @@ -3092,8 +3092,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3112,8 +3112,8 @@ "10.105.37.17" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", @@ -3162,8 +3162,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3182,8 +3182,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3242,8 +3242,8 @@ "10.105.37.17" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", @@ -3280,8 +3280,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3292,8 +3292,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3312,8 +3312,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3363,8 +3363,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -3383,8 +3383,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", @@ -3455,8 +3455,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3528,8 +3528,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3589,8 +3589,8 @@ "10.105.47.191" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.extension": "asp", @@ -3650,8 +3650,8 @@ "10.105.47.191" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.extension": "asp", @@ -3703,8 +3703,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3723,8 +3723,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3796,8 +3796,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3869,8 +3869,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3922,8 +3922,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3942,8 +3942,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -3984,8 +3984,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4004,8 +4004,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -4066,8 +4066,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "gif", @@ -4108,8 +4108,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4128,8 +4128,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.i1.yimg.com", "url.extension": "gif", @@ -4201,8 +4201,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "newsrss.bbc.co.uk", "url.extension": "xml", @@ -4242,8 +4242,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "68.142.231.252", - "10.105.33.214" + "10.105.33.214", + "68.142.231.252" ], "related.user": [ "adeolaegbedokun" @@ -4274,8 +4274,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "insider.msg.yahoo.com", "url.extension": "php", @@ -4316,8 +4316,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "304", @@ -4336,8 +4336,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.ent1.yimg.com", "url.extension": "jpg", @@ -4398,8 +4398,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.news1.yimg.com", "url.extension": "jpg", @@ -4470,8 +4470,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "asp", @@ -4526,8 +4526,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4546,8 +4546,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.news1.yimg.com", "url.extension": "jpg", @@ -4587,8 +4587,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4599,8 +4599,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4619,8 +4619,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.music.yahoo.com", "url.extension": "asp", @@ -4673,8 +4673,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4693,8 +4693,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.music.yahoo.com", "url.extension": "asp", @@ -4747,8 +4747,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4767,8 +4767,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "asp", @@ -4810,8 +4810,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4830,8 +4830,8 @@ "10.105.37.65" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "natrocket.kmip.net", "url.original": "http://natrocket.kmip.net:5288/iesocks?", @@ -4873,8 +4873,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4893,8 +4893,8 @@ "10.105.37.65" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "natrocket.kmip.net", "url.original": "http://natrocket.kmip.net:5288/return?", @@ -4970,8 +4970,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.news1.yimg.com", "url.extension": "jpg", @@ -5011,8 +5011,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -5023,8 +5023,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -5043,8 +5043,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "asp", @@ -5097,8 +5097,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -5117,8 +5117,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "asp", @@ -5194,8 +5194,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.a2.yimg.com", "url.extension": "swf", @@ -5268,8 +5268,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "radio.launch.yahoo.com", "url.extension": "asp", @@ -5308,8 +5308,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "68.142.213.132", - "10.105.33.214" + "10.105.33.214", + "68.142.213.132" ], "related.user": [ "adeolaegbedokun" @@ -5320,8 +5320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5340,8 +5340,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.bc.yahoo.com", "url.original": "http://us.bc.yahoo.com/b?", @@ -5411,8 +5411,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "insider.msg.yahoo.com", "url.extension": "php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", @@ -5450,8 +5450,8 @@ "pclick.internal.yahoo.com" ], "related.ip": [ - "216.109.124.55", - "10.105.33.214" + "10.105.33.214", + "216.109.124.55" ], "related.user": [ "adeolaegbedokun" @@ -5481,8 +5481,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "pclick.internal.yahoo.com", "url.original": "pclick.internal.yahoo.com:443", @@ -5540,8 +5540,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "js", @@ -5584,8 +5584,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5596,8 +5596,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -5616,8 +5616,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "css", @@ -5692,8 +5692,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "gif", @@ -5732,8 +5732,8 @@ "login.yahoo.com" ], "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -5743,8 +5743,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5763,8 +5763,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", @@ -5816,8 +5816,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -5836,8 +5836,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "gif", @@ -5880,8 +5880,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5892,8 +5892,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5912,8 +5912,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "gif", @@ -5954,8 +5954,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5974,8 +5974,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "gif", @@ -6018,8 +6018,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -6050,8 +6050,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "gif", @@ -6126,8 +6126,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "gif", @@ -6170,8 +6170,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -6182,8 +6182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -6202,8 +6202,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "a1568.g.akamai.net", "url.extension": "gif", @@ -6264,8 +6264,8 @@ "10.105.37.180" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.google.com", "url.original": "http://www.google.com/supported_domains", @@ -6325,8 +6325,8 @@ "10.105.47.191" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.mcafee.com", "url.extension": "asp", @@ -6365,8 +6365,8 @@ "launch.adserver.yahoo.com" ], "related.ip": [ - "216.109.125.112", - "10.105.33.214" + "10.105.33.214", + "216.109.125.112" ], "related.user": [ "adeolaegbedokun" @@ -6377,8 +6377,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -6397,8 +6397,8 @@ "10.105.33.214" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "launch.adserver.yahoo.com", "url.original": "http://launch.adserver.yahoo.com/l?", @@ -6470,8 +6470,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "uk.f250.mail.yahoo.com", "url.original": "http://uk.f250.mail.yahoo.com/dc/launch?", @@ -6530,8 +6530,8 @@ "10.105.37.180" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "login.live.com", "url.original": "login.live.com:443", @@ -6603,8 +6603,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.js2.yimg.com", "url.extension": "js", @@ -6665,8 +6665,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.js1.yimg.com", "url.extension": "css", @@ -6741,8 +6741,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.js2.yimg.com", "url.extension": "js", @@ -6783,8 +6783,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -6803,8 +6803,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.js1.yimg.com", "url.extension": "js", @@ -6845,8 +6845,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -6865,8 +6865,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.js2.yimg.com", "url.extension": "js", @@ -6907,8 +6907,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -6927,8 +6927,8 @@ "10.105.21.199" ], "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "us.i1.yimg.com", "url.extension": "gif", diff --git a/x-pack/filebeat/module/squid/log/test/generated.log-expected.json b/x-pack/filebeat/module/squid/log/test/generated.log-expected.json index 4da5c1f13cd..4aba84e8f9a 100644 --- a/x-pack/filebeat/module/squid/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/generated.log-expected.json @@ -51,16 +51,16 @@ ], "source.port": 7337, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.org", "url.extension": "htm", "url.fragment": "min", "url.original": "https://example.org/exercita/der.htm?odoco=ria#min", "url.path": [ - "https://example.net", - "/exercita/der.htm" + "/exercita/der.htm", + "https://example.net" ], "url.query": "odoco=ria", "url.registered_domain": "example.org", @@ -94,8 +94,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.org", - "example.com" + "example.com", + "www.example.org" ], "related.ip": [ "10.102.123.34", @@ -106,8 +106,8 @@ ], "rsa.internal.messageid": "PURGE", "rsa.misc.action": [ - "deny", - "PURGE" + "PURGE", + "deny" ], "rsa.misc.content_type": "volup", "rsa.misc.result_code": "olupt", @@ -128,16 +128,16 @@ ], "source.port": 7178, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "txt", "url.fragment": "nidolor", "url.original": "https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor", "url.path": [ - "https://example.com", - "/enderitq/sperna.txt" + "/enderitq/sperna.txt", + "https://example.com" ], "url.query": "billoi=oreetdol", "url.registered_domain": "example.org", @@ -206,16 +206,16 @@ ], "source.port": 7269, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.com", "url.extension": "jpg", "url.fragment": "iin", "url.original": "https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin", "url.path": [ - "https://example.net", - "/aqu/utper.jpg" + "/aqu/utper.jpg", + "https://example.net" ], "url.query": "eFinib=omm", "url.registered_domain": "example.com", @@ -284,16 +284,16 @@ ], "source.port": 5162, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "gif", "url.fragment": "con", "url.original": "https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con", "url.path": [ - "https://mail.example.com", - "/ceroinBC/ratvolup.gif" + "/ceroinBC/ratvolup.gif", + "https://mail.example.com" ], "url.query": "iatu=ionofde", "url.registered_domain": "example.org", @@ -361,16 +361,16 @@ ], "source.port": 1980, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "gif", "url.fragment": "eos", "url.original": "https://api.example.org/isetq/estqui.gif?magn=equuntu#eos", "url.path": [ - "https://api.example.net", - "/isetq/estqui.gif" + "/isetq/estqui.gif", + "https://api.example.net" ], "url.query": "magn=equuntu", "url.registered_domain": "example.org", @@ -405,8 +405,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.org", - "api.example.com" + "api.example.com", + "www.example.org" ], "related.ip": [ "10.12.195.60", @@ -420,8 +420,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "accept", - "HEAD" + "HEAD", + "accept" ], "rsa.misc.content_type": "aboris", "rsa.misc.result_code": "natura", @@ -442,16 +442,16 @@ ], "source.port": 4243, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "txt", "url.fragment": "ect", "url.original": "https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect", "url.path": [ - "https://api.example.com", - "/inesci/rsitvolu.txt" + "/inesci/rsitvolu.txt", + "https://api.example.com" ], "url.query": "pori=occ", "url.registered_domain": "example.org", @@ -486,8 +486,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "www.example.org" + "www.example.org", + "www5.example.com" ], "related.ip": [ "10.198.136.50", @@ -498,8 +498,8 @@ ], "rsa.internal.messageid": "DELETE", "rsa.misc.action": [ - "allow", - "DELETE" + "DELETE", + "allow" ], "rsa.misc.content_type": "usmodte", "rsa.misc.result_code": "mUt", @@ -520,16 +520,16 @@ ], "source.port": 6875, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.com", "url.extension": "txt", "url.fragment": "atat", "url.original": "https://www5.example.com/ari/eataevit.txt?iam=mqua#atat", "url.path": [ - "https://www.example.org", - "/ari/eataevit.txt" + "/ari/eataevit.txt", + "https://www.example.org" ], "url.query": "iam=mqua", "url.registered_domain": "example.com", @@ -564,8 +564,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.net", - "example.org" + "example.org", + "internal.example.net" ], "related.ip": [ "10.116.120.216", @@ -576,8 +576,8 @@ ], "rsa.internal.messageid": "PROPFIND", "rsa.misc.action": [ - "accept", - "PROPFIND" + "PROPFIND", + "accept" ], "rsa.misc.content_type": "mol", "rsa.misc.result_code": "apariat", @@ -597,16 +597,16 @@ ], "source.port": 124, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.org", "url.extension": "htm", "url.fragment": "orsitame", "url.original": "https://example.org/tatno/imav.htm?ofdeF=tion#orsitame", "url.path": [ - "https://internal.example.net", - "/tatno/imav.htm" + "/tatno/imav.htm", + "https://internal.example.net" ], "url.query": "ofdeF=tion", "url.registered_domain": "example.org", @@ -655,8 +655,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "accept", - "HEAD" + "HEAD", + "accept" ], "rsa.misc.content_type": "undeo", "rsa.misc.result_code": "quu", @@ -676,16 +676,16 @@ ], "source.port": 6343, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.org", "url.extension": "txt", "url.fragment": "iumto", "url.original": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", "url.path": [ - "https://mail.example.net", - "/uaera/sitas.txt" + "/uaera/sitas.txt", + "https://mail.example.net" ], "url.query": "aedic=atquovo", "url.registered_domain": "example.org", @@ -755,16 +755,16 @@ ], "source.port": 7618, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.org", "url.extension": "htm", "url.fragment": "nsequu", "url.original": "https://mail.example.org/edquiano/loru.htm?end=enia#nsequu", "url.path": [ - "https://www5.example.org", - "/edquiano/loru.htm" + "/edquiano/loru.htm", + "https://www5.example.org" ], "url.query": "end=enia", "url.registered_domain": "example.org", @@ -802,8 +802,8 @@ "www.example.org" ], "related.ip": [ - "10.71.34.9", - "10.158.185.163" + "10.158.185.163", + "10.71.34.9" ], "related.user": [ "aliq" @@ -832,16 +832,16 @@ ], "source.port": 267, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "txt", "url.fragment": "xercitat", "url.original": "https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat", "url.path": [ - "https://www.example.org", - "/iqui/etc.txt" + "/iqui/etc.txt", + "https://www.example.org" ], "url.query": "tatiset=eprehen", "url.registered_domain": "example.org", @@ -876,8 +876,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.net", - "example.net" + "example.net", + "internal.example.net" ], "related.ip": [ "10.201.76.240", @@ -888,8 +888,8 @@ ], "rsa.internal.messageid": "OPTIONS", "rsa.misc.action": [ - "accept", - "OPTIONS" + "OPTIONS", + "accept" ], "rsa.misc.content_type": "emips", "rsa.misc.result_code": "onse", @@ -910,16 +910,16 @@ ], "source.port": 6423, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "txt", "url.fragment": "ugiatnu", "url.original": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", "url.path": [ - "https://example.net", - "/ommod/sequatur.txt" + "/ommod/sequatur.txt", + "https://example.net" ], "url.query": "tlabo=suntexp", "url.registered_domain": "example.net", @@ -950,12 +950,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.net", - "api.example.org" + "api.example.org", + "www.example.net" ], "related.ip": [ - "10.206.136.206", - "10.114.138.121" + "10.114.138.121", + "10.206.136.206" ], "related.user": [ "xeac" @@ -984,16 +984,16 @@ ], "source.port": 1939, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "gif", "url.fragment": "eporroqu", "url.original": "https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu", "url.path": [ - "https://www.example.net", - "/oriosamn/deFinibu.gif" + "/oriosamn/deFinibu.gif", + "https://www.example.net" ], "url.query": "iciatisu=rehender", "url.registered_domain": "example.org", @@ -1028,12 +1028,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.com", - "mail.example.org" + "mail.example.org", + "www.example.com" ], "related.ip": [ - "10.200.199.166", - "10.134.161.118" + "10.134.161.118", + "10.200.199.166" ], "related.user": [ "ipitla" @@ -1062,16 +1062,16 @@ ], "source.port": 3727, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.org", "url.extension": "html", "url.fragment": "civeli", "url.original": "https://mail.example.org/rehend/tio.html?numqu=qui#civeli", "url.path": [ - "https://www.example.com", - "/rehend/tio.html" + "/rehend/tio.html", + "https://www.example.com" ], "url.query": "numqu=qui", "url.registered_domain": "example.org", @@ -1106,8 +1106,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "www.example.org" + "www.example.org", + "www5.example.com" ], "related.ip": [ "10.76.3.41", @@ -1118,8 +1118,8 @@ ], "rsa.internal.messageid": "NONE", "rsa.misc.action": [ - "allow", - "NONE" + "NONE", + "allow" ], "rsa.misc.content_type": "aaliquaU", "rsa.misc.result_code": "mpori", @@ -1140,16 +1140,16 @@ ], "source.port": 2807, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "txt", "url.fragment": "iamquis", "url.original": "https://www.example.org/eav/ionevo.txt?siar=orev#iamquis", "url.path": [ - "https://www5.example.com", - "/eav/ionevo.txt" + "/eav/ionevo.txt", + "https://www5.example.com" ], "url.query": "siar=orev", "url.registered_domain": "example.org", @@ -1184,8 +1184,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.net", - "api.example.com" + "api.example.com", + "internal.example.net" ], "related.ip": [ "10.164.250.63", @@ -1196,8 +1196,8 @@ ], "rsa.internal.messageid": "PROPFIND", "rsa.misc.action": [ - "accept", - "PROPFIND" + "PROPFIND", + "accept" ], "rsa.misc.content_type": "asun", "rsa.misc.result_code": "lit", @@ -1218,16 +1218,16 @@ ], "source.port": 2530, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "jpg", "url.fragment": "leumiu", "url.original": "https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu", "url.path": [ - "https://api.example.com", - "/wri/bor.jpg" + "/wri/bor.jpg", + "https://api.example.com" ], "url.query": "hitect=dol", "url.registered_domain": "example.net", @@ -1266,8 +1266,8 @@ "www5.example.net" ], "related.ip": [ - "10.61.242.75", - "10.236.248.65" + "10.236.248.65", + "10.61.242.75" ], "related.user": [ "iquidex" @@ -1299,16 +1299,16 @@ ], "source.port": 2591, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "htm", "url.fragment": "eriamea", "url.original": "https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea", "url.path": [ - "https://www5.example.net", - "/equat/doloreme.htm" + "/equat/doloreme.htm", + "https://www5.example.net" ], "url.query": "ione=ihilmole", "url.registered_domain": "example.net", @@ -1343,12 +1343,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "internal.example.net" + "internal.example.net", + "www5.example.com" ], "related.ip": [ - "10.214.7.83", - "10.13.59.31" + "10.13.59.31", + "10.214.7.83" ], "related.user": [ "etdol" @@ -1377,16 +1377,16 @@ ], "source.port": 5685, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.com", "url.extension": "gif", "url.fragment": "xerc", "url.original": "https://www5.example.com/estia/tper.gif?volupt=osqui#xerc", "url.path": [ - "https://internal.example.net", - "/estia/tper.gif" + "/estia/tper.gif", + "https://internal.example.net" ], "url.query": "volupt=osqui", "url.registered_domain": "example.com", @@ -1421,12 +1421,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.net", - "api.example.org" + "api.example.org", + "internal.example.net" ], "related.ip": [ - "10.89.201.140", - "10.49.92.179" + "10.49.92.179", + "10.89.201.140" ], "related.user": [ "isnisiu" @@ -1458,16 +1458,16 @@ ], "source.port": 2447, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "htm", "url.fragment": "isnis", "url.original": "https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis", "url.path": [ - "https://api.example.org", - "/sin/rvel.htm" + "/sin/rvel.htm", + "https://api.example.org" ], "url.query": "nimid=itatione", "url.registered_domain": "example.net", @@ -1502,8 +1502,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "mail.example.net", - "api.example.org" + "api.example.org", + "mail.example.net" ], "related.ip": [ "10.235.7.92", @@ -1536,16 +1536,16 @@ ], "source.port": 5787, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "gif", "url.fragment": "equat", "url.original": "https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat", "url.path": [ - "https://mail.example.net", - "/abo/veniamqu.gif" + "/abo/veniamqu.gif", + "https://mail.example.net" ], "url.query": "aliquide=ofde", "url.registered_domain": "example.org", @@ -1584,16 +1584,16 @@ "www5.example.net" ], "related.ip": [ - "10.14.48.16", - "10.14.211.43" + "10.14.211.43", + "10.14.48.16" ], "related.user": [ "volupt" ], "rsa.internal.messageid": "PROPFIND", "rsa.misc.action": [ - "cancel", - "PROPFIND" + "PROPFIND", + "cancel" ], "rsa.misc.content_type": "Utenima", "rsa.misc.result_code": "uiinea", @@ -1614,16 +1614,16 @@ ], "source.port": 4762, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "jpg", "url.fragment": "icabo", "url.original": "https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo", "url.path": [ - "https://www5.example.net", - "/autfu/gnaaliq.jpg" + "/autfu/gnaaliq.jpg", + "https://www5.example.net" ], "url.query": "olupta=litse", "url.registered_domain": "example.org", @@ -1658,12 +1658,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.net", - "example.com" + "example.com", + "internal.example.net" ], "related.ip": [ - "10.93.123.174", - "10.47.25.230" + "10.47.25.230", + "10.93.123.174" ], "related.user": [ "reetdolo" @@ -1672,8 +1672,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "block", - "CONNECT" + "CONNECT", + "block" ], "rsa.misc.content_type": "iusmodi", "rsa.misc.result_code": "etcons", @@ -1694,16 +1694,16 @@ ], "source.port": 5491, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "html", "url.fragment": "ntocc", "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", "url.path": [ - "https://example.com", - "/ptatemq/luptatev.html" + "/ptatemq/luptatev.html", + "https://example.com" ], "url.query": "Nequepo=ipsumd", "url.registered_domain": "example.net", @@ -1772,16 +1772,16 @@ ], "source.port": 837, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.net", "url.extension": "gif", "url.fragment": "cons", "url.original": "https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons", "url.path": [ - "https://www5.example.com", - "/quiavol/rrorsi.gif" + "/quiavol/rrorsi.gif", + "https://www5.example.com" ], "url.query": "iatisu=sec", "url.registered_domain": "example.net", @@ -1828,8 +1828,8 @@ ], "rsa.internal.messageid": "PROPATCH", "rsa.misc.action": [ - "accept", - "PROPATCH" + "PROPATCH", + "accept" ], "rsa.misc.content_type": "squirati", "rsa.misc.result_code": "Nemoenim", @@ -1850,16 +1850,16 @@ ], "source.port": 2805, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "jpg", "url.fragment": "edquia", "url.original": "https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia", "url.path": [ - "https://mail.example.com", - "/orain/tiumt.jpg" + "/orain/tiumt.jpg", + "https://mail.example.com" ], "url.query": "litessec=itas", "url.registered_domain": "example.net", @@ -1894,8 +1894,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.net", - "example.net" + "example.net", + "www.example.net" ], "related.ip": [ "10.135.217.12", @@ -1928,16 +1928,16 @@ ], "source.port": 4427, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.net", "url.extension": "txt", "url.fragment": "untut", "url.original": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", "url.path": [ - "https://example.net", - "/str/idolore.txt" + "/str/idolore.txt", + "https://example.net" ], "url.query": "eetdolo=cteturad", "url.registered_domain": "example.net", @@ -1976,8 +1976,8 @@ "mail.example.net" ], "related.ip": [ - "10.233.239.112", - "10.13.226.57" + "10.13.226.57", + "10.233.239.112" ], "related.user": [ "mquelau" @@ -2006,16 +2006,16 @@ ], "source.port": 3275, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.net", "url.extension": "html", "url.fragment": "mestq", "url.original": "https://mail.example.net/velitse/oditem.html?torever=oremi#mestq", "url.path": [ - "https://internal.example.com", - "/velitse/oditem.html" + "/velitse/oditem.html", + "https://internal.example.com" ], "url.query": "torever=oremi", "url.registered_domain": "example.net", @@ -2050,12 +2050,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.org", - "example.com" + "example.com", + "internal.example.org" ], "related.ip": [ - "10.21.169.127", - "10.161.203.252" + "10.161.203.252", + "10.21.169.127" ], "related.user": [ "ice" @@ -2086,16 +2086,16 @@ ], "source.port": 301, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.org", "url.extension": "gif", "url.fragment": "uisa", "url.original": "https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa", "url.path": [ - "https://example.com", - "/isnisi/ritatise.gif" + "/isnisi/ritatise.gif", + "https://example.com" ], "url.query": "tamet=quatur", "url.registered_domain": "example.org", @@ -2134,16 +2134,16 @@ "www.example.net" ], "related.ip": [ - "10.69.139.26", - "10.17.215.111" + "10.17.215.111", + "10.69.139.26" ], "related.user": [ "edqui" ], "rsa.internal.messageid": "LOCK", "rsa.misc.action": [ - "block", - "LOCK" + "LOCK", + "block" ], "rsa.misc.content_type": "volupta", "rsa.misc.result_code": "veli", @@ -2164,16 +2164,16 @@ ], "source.port": 148, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.net", "url.extension": "htm", "url.fragment": "ano", "url.original": "https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano", "url.path": [ - "https://api.example.com", - "/ianon/tsed.htm" + "/ianon/tsed.htm", + "https://api.example.com" ], "url.query": "ameiusm=proide", "url.registered_domain": "example.net", @@ -2208,8 +2208,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.org", - "mail.example.org" + "mail.example.org", + "www5.example.org" ], "related.ip": [ "10.10.213.83", @@ -2242,16 +2242,16 @@ ], "source.port": 7206, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.org", "url.extension": "jpg", "url.fragment": "apariat", "url.original": "https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat", "url.path": [ - "https://mail.example.org", - "/ncididun/umSe.jpg" + "/ncididun/umSe.jpg", + "https://mail.example.org" ], "url.query": "ise=itau", "url.registered_domain": "example.org", @@ -2319,16 +2319,16 @@ ], "source.port": 3480, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.org", "url.extension": "gif", "url.fragment": "tem", "url.original": "https://example.org/uatur/adminimv.gif?exeacom=roidents#tem", "url.path": [ - "https://api.example.org", - "/uatur/adminimv.gif" + "/uatur/adminimv.gif", + "https://api.example.org" ], "url.query": "exeacom=roidents", "url.registered_domain": "example.org", @@ -2372,8 +2372,8 @@ ], "rsa.internal.messageid": "ICP_QUERY", "rsa.misc.action": [ - "cancel", - "ICP_QUERY" + "ICP_QUERY", + "cancel" ], "rsa.misc.content_type": "ntsunt", "rsa.misc.result_code": "amcorp", @@ -2394,16 +2394,16 @@ ], "source.port": 2751, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.com", "url.extension": "html", "url.fragment": "reprehe", "url.original": "https://api.example.com/ven/rQu.html?doloreme=dun#reprehe", "url.path": [ - "https://mail.example.com", - "/ven/rQu.html" + "/ven/rQu.html", + "https://mail.example.com" ], "url.query": "doloreme=dun", "url.registered_domain": "example.com", @@ -2442,8 +2442,8 @@ "mail.example.com" ], "related.ip": [ - "10.76.110.144", - "10.0.98.205" + "10.0.98.205", + "10.76.110.144" ], "related.user": [ "upt" @@ -2475,16 +2475,16 @@ ], "source.port": 126, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "html", "url.fragment": "ate", "url.original": "https://api.example.net/eseru/quamest.html?qua=rsita#ate", "url.path": [ - "https://mail.example.com", - "/eseru/quamest.html" + "/eseru/quamest.html", + "https://mail.example.com" ], "url.query": "qua=rsita", "url.registered_domain": "example.net", @@ -2531,8 +2531,8 @@ ], "rsa.internal.messageid": "MOVE", "rsa.misc.action": [ - "deny", - "MOVE" + "MOVE", + "deny" ], "rsa.misc.content_type": "elites", "rsa.misc.result_code": "oremi", @@ -2553,16 +2553,16 @@ ], "source.port": 1646, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.org", "url.extension": "txt", "url.fragment": "isiu", "url.original": "https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu", "url.path": [ - "https://www.example.org", - "/mvolu/conse.txt" + "/mvolu/conse.txt", + "https://www.example.org" ], "url.query": "aincidu=nimadmin", "url.registered_domain": "example.org", @@ -2608,8 +2608,8 @@ ], "rsa.internal.messageid": "TRACE", "rsa.misc.action": [ - "accept", - "TRACE" + "TRACE", + "accept" ], "rsa.misc.content_type": "plica", "rsa.misc.result_code": "cidunt", @@ -2630,16 +2630,16 @@ ], "source.port": 4686, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.org", "url.extension": "html", "url.fragment": "ilmol", "url.original": "https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol", "url.path": [ - "https://internal.example.org", - "/isciv/rroqu.html" + "/isciv/rroqu.html", + "https://internal.example.org" ], "url.query": "uisa=tametco", "url.registered_domain": "example.org", @@ -2674,8 +2674,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.net", - "example.org" + "example.org", + "www5.example.net" ], "related.ip": [ "10.150.245.88", @@ -2708,16 +2708,16 @@ ], "source.port": 4275, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.net", "url.extension": "txt", "url.fragment": "pid", "url.original": "https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid", "url.path": [ - "https://example.org", - "/uaeratv/isa.txt" + "/uaeratv/isa.txt", + "https://example.org" ], "url.query": "periam=dqu", "url.registered_domain": "example.net", @@ -2752,20 +2752,20 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "mail.example.net" + "mail.example.net", + "www5.example.com" ], "related.ip": [ - "10.73.207.70", - "10.61.92.2" + "10.61.92.2", + "10.73.207.70" ], "related.user": [ "atu" ], "rsa.internal.messageid": "UNLOCK", "rsa.misc.action": [ - "block", - "UNLOCK" + "UNLOCK", + "block" ], "rsa.misc.content_type": "commodi", "rsa.misc.result_code": "ssecil", @@ -2786,16 +2786,16 @@ ], "source.port": 6595, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.com", "url.extension": "txt", "url.fragment": "remagn", "url.original": "https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn", "url.path": [ - "https://mail.example.net", - "/orroq/vitaedic.txt" + "/orroq/vitaedic.txt", + "https://mail.example.net" ], "url.query": "orisni=ons", "url.registered_domain": "example.com", @@ -2829,8 +2829,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.com", - "example.net" + "example.net", + "internal.example.com" ], "related.ip": [ "10.50.124.116", @@ -2841,8 +2841,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "allow", - "GET" + "GET", + "allow" ], "rsa.misc.content_type": "numquam", "rsa.misc.result_code": "temUt", @@ -2863,16 +2863,16 @@ ], "source.port": 5271, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.net", "url.extension": "gif", "url.fragment": "ruredo", "url.original": "https://example.net/mven/olorsit.gif?oremag=illu#ruredo", "url.path": [ - "https://internal.example.com", - "/mven/olorsit.gif" + "/mven/olorsit.gif", + "https://internal.example.com" ], "url.query": "oremag=illu", "url.registered_domain": "example.net", @@ -2905,8 +2905,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.net", - "api.example.org" + "api.example.org", + "www5.example.net" ], "related.ip": [ "10.173.222.131", @@ -2939,16 +2939,16 @@ ], "source.port": 918, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.net", "url.extension": "html", "url.fragment": "oin", "url.original": "https://www5.example.net/rum/eataevi.html?ulla=iqu#oin", "url.path": [ - "https://api.example.org", - "/rum/eataevi.html" + "/rum/eataevi.html", + "https://api.example.org" ], "url.query": "ulla=iqu", "url.registered_domain": "example.net", @@ -2987,8 +2987,8 @@ "www5.example.net" ], "related.ip": [ - "10.11.83.126", - "10.0.157.225" + "10.0.157.225", + "10.11.83.126" ], "related.user": [ "atu" @@ -3017,16 +3017,16 @@ ], "source.port": 6581, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.net", "url.extension": "txt", "url.fragment": "tinvolup", "url.original": "https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup", "url.path": [ - "https://www5.example.net", - "/osquir/mod.txt" + "/osquir/mod.txt", + "https://www5.example.net" ], "url.query": "fugitse=imad", "url.registered_domain": "example.net", @@ -3065,16 +3065,16 @@ "www5.example.com" ], "related.ip": [ - "10.92.237.93", - "10.228.77.21" + "10.228.77.21", + "10.92.237.93" ], "related.user": [ "onse" ], "rsa.internal.messageid": "PUT", "rsa.misc.action": [ - "cancel", - "PUT" + "PUT", + "cancel" ], "rsa.misc.content_type": "mod", "rsa.misc.result_code": "gnaa", @@ -3095,16 +3095,16 @@ ], "source.port": 6889, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.com", "url.extension": "txt", "url.fragment": "mve", "url.original": "https://api.example.com/asper/umq.txt?itasper=uae#mve", "url.path": [ - "https://www5.example.com", - "/asper/umq.txt" + "/asper/umq.txt", + "https://www5.example.com" ], "url.query": "itasper=uae", "url.registered_domain": "example.com", @@ -3139,12 +3139,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.net", - "api.example.com" + "api.example.com", + "www5.example.net" ], "related.ip": [ - "10.20.28.92", - "10.102.215.23" + "10.102.215.23", + "10.20.28.92" ], "related.user": [ "ntexpl" @@ -3175,16 +3175,16 @@ ], "source.port": 3665, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.net", "url.extension": "jpg", "url.fragment": "veniamqu", "url.original": "https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu", "url.path": [ - "https://api.example.com", - "/quatD/isqua.jpg" + "/quatD/isqua.jpg", + "https://api.example.com" ], "url.query": "oloreseo=iruredol", "url.registered_domain": "example.net", @@ -3229,8 +3229,8 @@ ], "rsa.internal.messageid": "NONE", "rsa.misc.action": [ - "block", - "NONE" + "NONE", + "block" ], "rsa.misc.content_type": "uamei", "rsa.misc.result_code": "ecatcupi", @@ -3251,16 +3251,16 @@ ], "source.port": 5627, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "html", "url.fragment": "repreh", "url.original": "https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh", "url.path": [ - "https://www5.example.com", - "/ation/luptas.html" + "/ation/luptas.html", + "https://www5.example.com" ], "url.query": "iatqu=lorsi", "url.registered_domain": "example.net", @@ -3329,16 +3329,16 @@ ], "source.port": 5137, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.com", "url.extension": "jpg", "url.fragment": "eumi", "url.original": "https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi", "url.path": [ - "https://api.example.com", - "/mpo/unte.jpg" + "/mpo/unte.jpg", + "https://api.example.com" ], "url.query": "ueipsa=scipitl", "url.registered_domain": "example.com", @@ -3410,16 +3410,16 @@ ], "source.port": 5169, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "jpg", "url.fragment": "olup", "url.original": "https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup", "url.path": [ - "https://example.com", - "/uov/quaeab.jpg" + "/uov/quaeab.jpg", + "https://example.com" ], "url.query": "moles=dipiscin", "url.registered_domain": "example.org", @@ -3454,8 +3454,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.org", - "example.net" + "example.net", + "www5.example.org" ], "related.ip": [ "10.231.7.209", @@ -3469,8 +3469,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "block", - "HEAD" + "HEAD", + "block" ], "rsa.misc.content_type": "scipitl", "rsa.misc.result_code": "temaccu", @@ -3490,16 +3490,16 @@ ], "source.port": 77, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.net", "url.extension": "jpg", "url.fragment": "snos", "url.original": "https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos", "url.path": [ - "https://www5.example.org", - "/edolo/ugiatquo.jpg" + "/edolo/ugiatquo.jpg", + "https://www5.example.org" ], "url.query": "eosquira=pta", "url.registered_domain": "example.net", @@ -3537,8 +3537,8 @@ "www.example.com" ], "related.ip": [ - "10.77.129.175", - "10.121.163.5" + "10.121.163.5", + "10.77.129.175" ], "related.user": [ "BCS" @@ -3569,16 +3569,16 @@ ], "source.port": 7803, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "htm", "url.fragment": "nrepreh", "url.original": "https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh", "url.path": [ - "https://www.example.com", - "/isci/dolor.htm" + "/isci/dolor.htm", + "https://www.example.com" ], "url.query": "orinrep=quiavol", "url.registered_domain": "example.org", @@ -3613,8 +3613,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.com", - "mail.example.com" + "mail.example.com", + "www.example.com" ], "related.ip": [ "10.116.146.114", @@ -3647,16 +3647,16 @@ ], "source.port": 329, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.com", "url.extension": "gif", "url.fragment": "culpaqui", "url.original": "https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui", "url.path": [ - "https://www.example.com", - "/roide/tem.gif" + "/roide/tem.gif", + "https://www.example.com" ], "url.query": "rerepre=nculpaq", "url.registered_domain": "example.com", @@ -3691,8 +3691,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.net", - "api.example.com" + "api.example.com", + "internal.example.net" ], "related.ip": [ "10.244.108.135", @@ -3725,16 +3725,16 @@ ], "source.port": 6997, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "jpg", "url.fragment": "edquia", "url.original": "https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia", "url.path": [ - "https://api.example.com", - "/rautod/olest.jpg" + "/rautod/olest.jpg", + "https://api.example.com" ], "url.query": "lapar=ritati", "url.registered_domain": "example.net", @@ -3803,16 +3803,16 @@ ], "source.port": 3833, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "txt", "url.fragment": "iame", "url.original": "https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame", "url.path": [ - "https://www.example.net", - "/iusmodt/enim.txt" + "/iusmodt/enim.txt", + "https://www.example.net" ], "url.query": "aquio=ersp", "url.registered_domain": "example.org", @@ -3847,8 +3847,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.org", - "example.org" + "example.org", + "www5.example.org" ], "related.ip": [ "10.45.114.111", @@ -3861,8 +3861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "accept", - "POST" + "POST", + "accept" ], "rsa.misc.content_type": "mdolors", "rsa.misc.result_code": "edictasu", @@ -3882,16 +3882,16 @@ ], "source.port": 357, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.org", "url.extension": "html", "url.fragment": "eetdo", "url.original": "https://example.org/abillo/undeom.html?oraincid=quaer#eetdo", "url.path": [ - "https://www5.example.org", - "/abillo/undeom.html" + "/abillo/undeom.html", + "https://www5.example.org" ], "url.query": "oraincid=quaer", "url.registered_domain": "example.org", @@ -3959,16 +3959,16 @@ ], "source.port": 4078, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.net", "url.extension": "jpg", "url.fragment": "sse", "url.original": "https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse", "url.path": [ - "https://www5.example.net", - "/uam/orumSec.jpg" + "/uam/orumSec.jpg", + "https://www5.example.net" ], "url.query": "isnisiu=suntincu", "url.registered_domain": "example.net", @@ -4003,12 +4003,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.org", - "mail.example.com" + "mail.example.com", + "www5.example.org" ], "related.ip": [ - "10.183.223.149", - "10.17.202.219" + "10.17.202.219", + "10.183.223.149" ], "related.user": [ "odoco" @@ -4040,16 +4040,16 @@ ], "source.port": 487, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.org", "url.extension": "txt", "url.fragment": "iamea", "url.original": "https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea", "url.path": [ - "https://mail.example.com", - "/umiurer/rere.txt" + "/umiurer/rere.txt", + "https://mail.example.com" ], "url.query": "mnisi=usmo", "url.registered_domain": "example.org", @@ -4084,8 +4084,8 @@ "internal.example.org" ], "related.ip": [ - "10.88.172.222", - "10.81.140.173" + "10.81.140.173", + "10.88.172.222" ], "related.user": [ "etdol" @@ -4114,16 +4114,16 @@ ], "source.port": 7623, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "jpg", "url.fragment": "remipsu", "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", "url.path": [ - "https://internal.example.org", - "/atnula/ditautf.jpg" + "/atnula/ditautf.jpg", + "https://internal.example.org" ], "url.query": "iquidex=olup", "url.registered_domain": "example.net", @@ -4166,8 +4166,8 @@ ], "rsa.internal.messageid": "OPTIONS", "rsa.misc.action": [ - "accept", - "OPTIONS" + "OPTIONS", + "accept" ], "rsa.misc.content_type": "eacommo", "rsa.misc.result_code": "hend", @@ -4188,16 +4188,16 @@ ], "source.port": 4247, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "txt", "url.fragment": "xeacommo", "url.original": "https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo", "url.path": [ - "https://example.com", - "/uscip/umS.txt" + "/uscip/umS.txt", + "https://example.com" ], "url.query": "quiacons=uisa", "url.registered_domain": "example.net", @@ -4232,8 +4232,8 @@ "www5.example.net" ], "related.ip": [ - "10.172.148.223", - "10.110.86.230" + "10.110.86.230", + "10.172.148.223" ], "related.user": [ "enimadm" @@ -4262,16 +4262,16 @@ ], "source.port": 536, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.com", "url.extension": "txt", "url.fragment": "temporai", "url.original": "https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai", "url.path": [ - "https://www5.example.net", - "/mrema/ullamc.txt" + "/mrema/ullamc.txt", + "https://www5.example.net" ], "url.query": "eufug=roquisq", "url.registered_domain": "example.com", @@ -4306,8 +4306,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "internal.example.net" + "internal.example.net", + "www5.example.com" ], "related.ip": [ "10.232.19.43", @@ -4321,8 +4321,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "deny", - "GET" + "GET", + "deny" ], "rsa.misc.content_type": "eriam", "rsa.misc.result_code": "sseq", @@ -4343,16 +4343,16 @@ ], "source.port": 3481, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.com", "url.extension": "txt", "url.fragment": "orsitam", "url.original": "https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam", "url.path": [ - "https://internal.example.net", - "/isau/itinvol.txt" + "/isau/itinvol.txt", + "https://internal.example.net" ], "url.query": "saquaea=ons", "url.registered_domain": "example.com", @@ -4421,16 +4421,16 @@ ], "source.port": 973, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "htm", "url.fragment": "onemulla", "url.original": "https://api.example.net/veli/venia.htm?etdolor=uat#onemulla", "url.path": [ - "https://example.net", - "/veli/venia.htm" + "/veli/venia.htm", + "https://example.net" ], "url.query": "etdolor=uat", "url.registered_domain": "example.net", @@ -4499,16 +4499,16 @@ ], "source.port": 203, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "jpg", "url.fragment": "expli", "url.original": "https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli", "url.path": [ - "https://www5.example.net", - "/ainci/osqu.jpg" + "/ainci/osqu.jpg", + "https://www5.example.net" ], "url.query": "sus=imavenia", "url.registered_domain": "example.net", @@ -4543,12 +4543,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.org", - "internal.example.net" + "internal.example.net", + "www.example.org" ], "related.ip": [ - "10.54.44.231", - "10.101.183.86" + "10.101.183.86", + "10.54.44.231" ], "related.user": [ "mcorpo" @@ -4557,8 +4557,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "allow", - "CONNECT" + "CONNECT", + "allow" ], "rsa.misc.content_type": "oreverit", "rsa.misc.result_code": "abor", @@ -4579,16 +4579,16 @@ ], "source.port": 5292, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "htm", "url.fragment": "seos", "url.original": "https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos", "url.path": [ - "https://internal.example.net", - "/runtm/eturadip.htm" + "/runtm/eturadip.htm", + "https://internal.example.net" ], "url.query": "psumd=oloree", "url.registered_domain": "example.org", @@ -4619,12 +4619,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.net", - "internal.example.org" + "internal.example.org", + "www.example.net" ], "related.ip": [ - "10.181.177.74", - "10.130.150.189" + "10.130.150.189", + "10.181.177.74" ], "related.user": [ "nvo" @@ -4653,16 +4653,16 @@ ], "source.port": 3378, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.org", "url.extension": "html", "url.fragment": "umwri", "url.original": "https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri", "url.path": [ - "https://www.example.net", - "/liquipex/uisnos.html" + "/liquipex/uisnos.html", + "https://www.example.net" ], "url.query": "ventor=lupt", "url.registered_domain": "example.org", @@ -4734,16 +4734,16 @@ ], "source.port": 2492, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "txt", "url.fragment": "veniamq", "url.original": "https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq", "url.path": [ - "https://api.example.net", - "/mquisnos/lore.txt" + "/mquisnos/lore.txt", + "https://api.example.net" ], "url.query": "siar=isn", "url.registered_domain": "example.org", @@ -4778,20 +4778,20 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.com", - "api.example.com" + "api.example.com", + "www.example.com" ], "related.ip": [ - "10.219.245.58", - "10.166.160.217" + "10.166.160.217", + "10.219.245.58" ], "related.user": [ "radip" ], "rsa.internal.messageid": "COPY", "rsa.misc.action": [ - "deny", - "COPY" + "COPY", + "deny" ], "rsa.misc.content_type": "iameaqu", "rsa.misc.result_code": "Dui", @@ -4812,16 +4812,16 @@ ], "source.port": 7073, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.com", "url.extension": "htm", "url.fragment": "uptatem", "url.original": "https://www.example.com/quas/occaeca.htm?ender=dico#uptatem", "url.path": [ - "https://api.example.com", - "/quas/occaeca.htm" + "/quas/occaeca.htm", + "https://api.example.com" ], "url.query": "ender=dico", "url.registered_domain": "example.com", @@ -4854,8 +4854,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.org", - "example.com" + "example.com", + "www5.example.org" ], "related.ip": [ "10.183.243.246", @@ -4888,16 +4888,16 @@ ], "source.port": 723, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.org", "url.extension": "jpg", "url.fragment": "sit", "url.original": "https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit", "url.path": [ - "https://example.com", - "/uidolo/umdolore.jpg" + "/uidolo/umdolore.jpg", + "https://example.com" ], "url.query": "oquisq=abori", "url.registered_domain": "example.org", @@ -4944,8 +4944,8 @@ ], "rsa.internal.messageid": "OPTIONS", "rsa.misc.action": [ - "cancel", - "OPTIONS" + "OPTIONS", + "cancel" ], "rsa.misc.content_type": "umf", "rsa.misc.result_code": "obeataev", @@ -4966,16 +4966,16 @@ ], "source.port": 1585, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.net", "url.extension": "htm", "url.fragment": "tisu", "url.original": "https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu", "url.path": [ - "https://www.example.com", - "/eniamqu/inimav.htm" + "/eniamqu/inimav.htm", + "https://www.example.com" ], "url.query": "imadm=uta", "url.registered_domain": "example.net", @@ -5014,8 +5014,8 @@ "mail.example.net" ], "related.ip": [ - "10.72.99.69", - "10.170.234.233" + "10.170.234.233", + "10.72.99.69" ], "related.user": [ "uatu" @@ -5044,16 +5044,16 @@ ], "source.port": 3172, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.net", "url.extension": "htm", "url.fragment": "giatquo", "url.original": "https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo", "url.path": [ - "https://mail.example.com", - "/sintocca/mipsumqu.htm" + "/sintocca/mipsumqu.htm", + "https://mail.example.com" ], "url.query": "tnulapar=ico", "url.registered_domain": "example.net", @@ -5088,8 +5088,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.net", - "api.example.org" + "api.example.org", + "internal.example.net" ], "related.ip": [ "10.142.130.227", @@ -5122,16 +5122,16 @@ ], "source.port": 4017, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "html", "url.fragment": "eleumi", "url.original": "https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi", "url.path": [ - "https://internal.example.net", - "/rep/remap.html" + "/rep/remap.html", + "https://internal.example.net" ], "url.query": "siarc=fdeFin", "url.registered_domain": "example.org", @@ -5178,8 +5178,8 @@ ], "rsa.internal.messageid": "DELETE", "rsa.misc.action": [ - "deny", - "DELETE" + "DELETE", + "deny" ], "rsa.misc.content_type": "tmo", "rsa.misc.result_code": "cin", @@ -5200,16 +5200,16 @@ ], "source.port": 4104, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "htm", "url.fragment": "osa", "url.original": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", "url.path": [ - "https://example.com", - "/eturad/tDuis.htm" + "/eturad/tDuis.htm", + "https://example.com" ], "url.query": "enimadmi=tateveli", "url.registered_domain": "example.net", @@ -5240,8 +5240,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.net", - "mail.example.net" + "mail.example.net", + "www.example.net" ], "related.ip": [ "10.172.139.78", @@ -5252,8 +5252,8 @@ ], "rsa.internal.messageid": "COPY", "rsa.misc.action": [ - "block", - "COPY" + "COPY", + "block" ], "rsa.misc.content_type": "animid", "rsa.misc.result_code": "inea", @@ -5274,16 +5274,16 @@ ], "source.port": 6533, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.net", "url.extension": "htm", "url.fragment": "madmi", "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", "url.path": [ - "https://mail.example.net", - "/hender/ptatemU.htm" + "/hender/ptatemU.htm", + "https://mail.example.net" ], "url.query": "mquisnos=tnulapa", "url.registered_domain": "example.net", @@ -5332,8 +5332,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "block", - "CONNECT" + "CONNECT", + "block" ], "rsa.misc.content_type": "teturad", "rsa.misc.result_code": "avolu", @@ -5354,16 +5354,16 @@ ], "source.port": 2805, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "htm", "url.fragment": "oid", "url.original": "https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid", "url.path": [ - "https://api.example.net", - "/iduntutl/rsitam.htm" + "/iduntutl/rsitam.htm", + "https://api.example.net" ], "url.query": "ntor=oinBCSed", "url.registered_domain": "example.org", @@ -5408,8 +5408,8 @@ ], "rsa.internal.messageid": "PURGE", "rsa.misc.action": [ - "cancel", - "PURGE" + "PURGE", + "cancel" ], "rsa.misc.content_type": "laboree", "rsa.misc.result_code": "oll", @@ -5429,16 +5429,16 @@ ], "source.port": 5012, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.org", "url.extension": "html", "url.fragment": "dat", "url.original": "https://example.org/itessequ/porissu.html?uip=ectobea#dat", "url.path": [ - "https://api.example.org", - "/itessequ/porissu.html" + "/itessequ/porissu.html", + "https://api.example.org" ], "url.query": "uip=ectobea", "url.registered_domain": "example.org", @@ -5476,8 +5476,8 @@ "www5.example.com" ], "related.ip": [ - "10.255.40.12", - "10.176.62.146" + "10.176.62.146", + "10.255.40.12" ], "related.user": [ "oeiusmo" @@ -5506,16 +5506,16 @@ ], "source.port": 5945, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "txt", "url.fragment": "nimide", "url.original": "https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide", "url.path": [ - "https://www5.example.com", - "/enimad/tis.txt" + "/enimad/tis.txt", + "https://www5.example.com" ], "url.query": "mipsumq=ident", "url.registered_domain": "example.net", @@ -5553,8 +5553,8 @@ "internal.example.com" ], "related.ip": [ - "10.88.98.31", - "10.194.198.46" + "10.194.198.46", + "10.88.98.31" ], "rsa.internal.messageid": "GET", "rsa.investigations.ec_activity": "Request", @@ -5584,16 +5584,16 @@ ], "source.port": 3387, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.org", "url.extension": "htm", "url.fragment": "nse", "url.original": "https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse", "url.path": [ - "https://internal.example.com", - "/taspe/yCiceroi.htm" + "/taspe/yCiceroi.htm", + "https://internal.example.com" ], "url.query": "cti=ommodoc", "url.registered_domain": "example.org", @@ -5627,8 +5627,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "example.com" + "example.com", + "www5.example.com" ], "related.ip": [ "10.1.27.133", @@ -5660,16 +5660,16 @@ ], "source.port": 7503, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.com", "url.extension": "jpg", "url.fragment": "iarchite", "url.original": "https://example.com/beat/rro.jpg?uisau=qua#iarchite", "url.path": [ - "https://www5.example.com", - "/beat/rro.jpg" + "/beat/rro.jpg", + "https://www5.example.com" ], "url.query": "uisau=qua", "url.registered_domain": "example.com", @@ -5703,12 +5703,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.org", - "internal.example.com" + "internal.example.com", + "www5.example.org" ], "related.ip": [ - "10.70.244.155", - "10.11.73.145" + "10.11.73.145", + "10.70.244.155" ], "related.user": [ "caboNemo" @@ -5739,16 +5739,16 @@ ], "source.port": 6972, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.org", "url.extension": "txt", "url.fragment": "dexea", "url.original": "https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea", "url.path": [ - "https://internal.example.com", - "/loremq/turmagni.txt" + "/loremq/turmagni.txt", + "https://internal.example.com" ], "url.query": "emUtenim=ende", "url.registered_domain": "example.org", @@ -5783,8 +5783,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.net", - "internal.example.com" + "internal.example.com", + "www5.example.net" ], "related.ip": [ "10.121.80.158", @@ -5817,16 +5817,16 @@ ], "source.port": 985, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.net", "url.extension": "txt", "url.fragment": "ecte", "url.original": "https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte", "url.path": [ - "https://internal.example.com", - "/deomnisi/ddoe.txt" + "/deomnisi/ddoe.txt", + "https://internal.example.com" ], "url.query": "oremi=ectobeat", "url.registered_domain": "example.net", @@ -5865,8 +5865,8 @@ "www.example.com" ], "related.ip": [ - "10.74.115.33", - "10.139.151.19" + "10.139.151.19", + "10.74.115.33" ], "related.user": [ "roquisq" @@ -5895,16 +5895,16 @@ ], "source.port": 4006, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "jpg", "url.fragment": "lors", "url.original": "https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors", "url.path": [ - "https://www.example.com", - "/tiset/sci.jpg" + "/tiset/sci.jpg", + "https://www.example.com" ], "url.query": "rauto=doloreeu", "url.registered_domain": "example.net", @@ -5939,8 +5939,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "mail.example.com", - "api.example.net" + "api.example.net", + "mail.example.com" ], "related.ip": [ "10.242.48.203", @@ -5951,8 +5951,8 @@ ], "rsa.internal.messageid": "DELETE", "rsa.misc.action": [ - "deny", - "DELETE" + "DELETE", + "deny" ], "rsa.misc.content_type": "tdolo", "rsa.misc.result_code": "ntu", @@ -5973,16 +5973,16 @@ ], "source.port": 6454, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "htm", "url.fragment": "tconsect", "url.original": "https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect", "url.path": [ - "https://mail.example.com", - "/tDuisau/aturve.htm" + "/tDuisau/aturve.htm", + "https://mail.example.com" ], "url.query": "tper=pisciv", "url.registered_domain": "example.net", @@ -6051,16 +6051,16 @@ ], "source.port": 5568, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.com", "url.extension": "jpg", "url.fragment": "scip", "url.original": "https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip", "url.path": [ - "https://www5.example.org", - "/oluptate/todi.jpg" + "/oluptate/todi.jpg", + "https://www5.example.org" ], "url.query": "tdolo=ident", "url.registered_domain": "example.com", @@ -6129,16 +6129,16 @@ ], "source.port": 4749, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.com", "url.extension": "html", "url.fragment": "utlabore", "url.original": "https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore", "url.path": [ - "https://mail.example.org", - "/radipis/lore.html" + "/radipis/lore.html", + "https://mail.example.org" ], "url.query": "civeli=eufugia", "url.registered_domain": "example.com", @@ -6173,12 +6173,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "internal.example.org", - "example.com" + "example.com", + "internal.example.org" ], "related.ip": [ - "10.18.199.203", - "10.0.0.240" + "10.0.0.240", + "10.18.199.203" ], "related.user": [ "ittenb" @@ -6207,16 +6207,16 @@ ], "source.port": 1795, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.org", "url.extension": "jpg", "url.fragment": "emp", "url.original": "https://internal.example.org/olupta/tio.jpg?idestl=litani#emp", "url.path": [ - "https://example.com", - "/olupta/tio.jpg" + "/olupta/tio.jpg", + "https://example.com" ], "url.query": "idestl=litani", "url.registered_domain": "example.org", @@ -6255,16 +6255,16 @@ "www5.example.com" ], "related.ip": [ - "10.73.80.251", - "10.1.220.47" + "10.1.220.47", + "10.73.80.251" ], "related.user": [ "ercitati" ], "rsa.internal.messageid": "NONE", "rsa.misc.action": [ - "allow", - "NONE" + "NONE", + "allow" ], "rsa.misc.content_type": "lumquid", "rsa.misc.result_code": "serro", @@ -6285,16 +6285,16 @@ ], "source.port": 6685, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.com", "url.extension": "gif", "url.fragment": "Neq", "url.original": "https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq", "url.path": [ - "https://www5.example.org", - "/sequines/cto.gif" + "/sequines/cto.gif", + "https://www5.example.org" ], "url.query": "temaccu=uamqua", "url.registered_domain": "example.com", @@ -6329,20 +6329,20 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.net", - "api.example.org" + "api.example.org", + "www.example.net" ], "related.ip": [ - "10.22.34.206", - "10.153.109.61" + "10.153.109.61", + "10.22.34.206" ], "related.user": [ "mve" ], "rsa.internal.messageid": "PURGE", "rsa.misc.action": [ - "block", - "PURGE" + "PURGE", + "block" ], "rsa.misc.content_type": "velites", "rsa.misc.result_code": "uasiarch", @@ -6363,16 +6363,16 @@ ], "source.port": 7499, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.net", "url.extension": "gif", "url.fragment": "onorume", "url.original": "https://www.example.net/periam/ain.gif?iquipex=mqu#onorume", "url.path": [ - "https://api.example.org", - "/periam/ain.gif" + "/periam/ain.gif", + "https://api.example.org" ], "url.query": "iquipex=mqu", "url.registered_domain": "example.net", @@ -6407,12 +6407,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.net", - "mail.example.com" + "mail.example.com", + "www.example.net" ], "related.ip": [ - "10.62.168.226", - "10.199.103.185" + "10.199.103.185", + "10.62.168.226" ], "related.user": [ "ipsa" @@ -6443,16 +6443,16 @@ ], "source.port": 5334, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.net", "url.extension": "jpg", "url.fragment": "Duis", "url.original": "https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis", "url.path": [ - "https://mail.example.com", - "/ecatc/quovolu.jpg" + "/ecatc/quovolu.jpg", + "https://mail.example.com" ], "url.query": "dexe=nemul", "url.registered_domain": "example.net", @@ -6491,8 +6491,8 @@ "www5.example.com" ], "related.ip": [ - "10.97.33.56", - "10.128.84.27" + "10.128.84.27", + "10.97.33.56" ], "related.user": [ "ptate" @@ -6520,16 +6520,16 @@ ], "source.port": 3541, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.com", "url.extension": "gif", "url.fragment": "cipitla", "url.original": "https://example.com/tqui/ssequ.gif?emse=emqui#cipitla", "url.path": [ - "https://www5.example.com", - "/tqui/ssequ.gif" + "/tqui/ssequ.gif", + "https://www5.example.com" ], "url.query": "emse=emqui", "url.registered_domain": "example.com", @@ -6563,12 +6563,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "example.com" + "example.com", + "www5.example.com" ], "related.ip": [ - "10.49.169.175", - "10.115.154.104" + "10.115.154.104", + "10.49.169.175" ], "related.user": [ "ore" @@ -6599,16 +6599,16 @@ ], "source.port": 2103, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.com", "url.extension": "jpg", "url.fragment": "quisnost", "url.original": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", "url.path": [ - "https://www5.example.com", - "/caboN/imipsam.jpg" + "/caboN/imipsam.jpg", + "https://www5.example.com" ], "url.query": "catcupid=ritquiin", "url.registered_domain": "example.com", @@ -6676,16 +6676,16 @@ ], "source.port": 2571, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.org", "url.extension": "htm", "url.fragment": "osqu", "url.original": "https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu", "url.path": [ - "https://internal.example.com", - "/oinvento/ali.htm" + "/oinvento/ali.htm", + "https://internal.example.com" ], "url.query": "utaliqui=isciv", "url.registered_domain": "example.org", @@ -6756,16 +6756,16 @@ ], "source.port": 2632, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.net", "url.extension": "htm", "url.fragment": "rch", "url.original": "https://api.example.net/quido/llo.htm?tpersp=assi#rch", "url.path": [ - "https://example.net", - "/quido/llo.htm" + "/quido/llo.htm", + "https://example.net" ], "url.query": "tpersp=assi", "url.registered_domain": "example.net", @@ -6800,8 +6800,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www.example.net", - "example.com" + "example.com", + "www.example.net" ], "related.ip": [ "10.139.195.188", @@ -6837,16 +6837,16 @@ ], "source.port": 893, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www.example.net", "url.extension": "txt", "url.fragment": "deriti", "url.original": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", "url.path": [ - "https://example.com", - "/tvolu/imve.txt" + "/tvolu/imve.txt", + "https://example.com" ], "url.query": "gnaaliq=quam", "url.registered_domain": "example.net", @@ -6881,8 +6881,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.com", - "api.example.net" + "api.example.net", + "www5.example.com" ], "related.ip": [ "10.60.56.205", @@ -6915,16 +6915,16 @@ ], "source.port": 4345, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.com", "url.extension": "htm", "url.fragment": "tquii", "url.original": "https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii", "url.path": [ - "https://api.example.net", - "/ugitsed/dminimve.htm" + "/ugitsed/dminimve.htm", + "https://api.example.net" ], "url.query": "onse=uiac", "url.registered_domain": "example.com", @@ -6963,16 +6963,16 @@ "www5.example.net" ], "related.ip": [ - "10.6.11.124", - "10.245.251.98" + "10.245.251.98", + "10.6.11.124" ], "related.user": [ "tvolu" ], "rsa.internal.messageid": "DELETE", "rsa.misc.action": [ - "accept", - "DELETE" + "DELETE", + "accept" ], "rsa.misc.content_type": "onsequ", "rsa.misc.result_code": "strud", @@ -6993,16 +6993,16 @@ ], "source.port": 261, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.com", "url.extension": "htm", "url.fragment": "usan", "url.original": "https://api.example.com/ntium/ide.htm?tamrema=isautem#usan", "url.path": [ - "https://www5.example.net", - "/ntium/ide.htm" + "/ntium/ide.htm", + "https://www5.example.net" ], "url.query": "tamrema=isautem", "url.registered_domain": "example.com", @@ -7051,8 +7051,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "block", - "CONNECT" + "CONNECT", + "block" ], "rsa.misc.content_type": "iamquisn", "rsa.misc.result_code": "lorem", @@ -7073,16 +7073,16 @@ ], "source.port": 1537, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.org", "url.extension": "jpg", "url.fragment": "utaliqui", "url.original": "https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui", "url.path": [ - "https://mail.example.org", - "/iad/ngelits.jpg" + "/iad/ngelits.jpg", + "https://mail.example.org" ], "url.query": "mporin=orissusc", "url.registered_domain": "example.org", @@ -7117,12 +7117,12 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "mail.example.com", - "internal.example.com" + "internal.example.com", + "mail.example.com" ], "related.ip": [ - "10.6.88.105", - "10.187.86.64" + "10.187.86.64", + "10.6.88.105" ], "related.user": [ "rem" @@ -7151,16 +7151,16 @@ ], "source.port": 3325, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.com", "url.extension": "htm", "url.fragment": "eprehe", "url.original": "https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe", "url.path": [ - "https://internal.example.com", - "/iatnulap/roi.htm" + "/iatnulap/roi.htm", + "https://internal.example.com" ], "url.query": "uine=loreeu", "url.registered_domain": "example.com", @@ -7195,8 +7195,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "mail.example.org", - "example.com" + "example.com", + "mail.example.org" ], "related.ip": [ "10.163.9.35", @@ -7231,16 +7231,16 @@ ], "source.port": 503, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.org", "url.extension": "jpg", "url.fragment": "illoin", "url.original": "https://mail.example.org/turv/use.jpg?mtot=macc#illoin", "url.path": [ - "https://example.com", - "/turv/use.jpg" + "/turv/use.jpg", + "https://example.com" ], "url.query": "mtot=macc", "url.registered_domain": "example.org", @@ -7279,8 +7279,8 @@ "mail.example.com" ], "related.ip": [ - "10.249.101.177", - "10.235.160.245" + "10.235.160.245", + "10.249.101.177" ], "related.user": [ "upta" @@ -7309,16 +7309,16 @@ ], "source.port": 4465, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "mail.example.com", "url.extension": "txt", "url.fragment": "ineavol", "url.original": "https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol", "url.path": [ - "https://api.example.org", - "/umdol/rerepr.txt" + "/umdol/rerepr.txt", + "https://api.example.org" ], "url.query": "emipsumq=orinr", "url.registered_domain": "example.com", @@ -7387,16 +7387,16 @@ ], "source.port": 773, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "internal.example.com", "url.extension": "htm", "url.fragment": "nevolup", "url.original": "https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup", "url.path": [ - "https://mail.example.org", - "/rautod/onorumet.htm" + "/rautod/onorumet.htm", + "https://mail.example.org" ], "url.query": "mvo=agnidol", "url.registered_domain": "example.com", @@ -7464,16 +7464,16 @@ ], "source.port": 2125, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "example.net", "url.extension": "jpg", "url.fragment": "asiar", "url.original": "https://example.net/dun/xce.jpg?nsequat=mvol#asiar", "url.path": [ - "https://example.com", - "/dun/xce.jpg" + "/dun/xce.jpg", + "https://example.com" ], "url.query": "nsequat=mvol", "url.registered_domain": "example.net", @@ -7539,16 +7539,16 @@ ], "source.port": 4260, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.com", "url.extension": "jpg", "url.fragment": "sequu", "url.original": "https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu", "url.path": [ - "https://www.example.org", - "/teiru/mquamei.jpg" + "/teiru/mquamei.jpg", + "https://www.example.org" ], "url.query": "pta=uradi", "url.registered_domain": "example.com", @@ -7583,8 +7583,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "www5.example.org", - "www5.example.net" + "www5.example.net", + "www5.example.org" ], "related.ip": [ "10.14.29.202", @@ -7617,16 +7617,16 @@ ], "source.port": 7842, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "www5.example.net", "url.extension": "gif", "url.fragment": "umdolo", "url.original": "https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo", "url.path": [ - "https://www5.example.org", - "/dtempor/rroquisq.gif" + "/dtempor/rroquisq.gif", + "https://www5.example.org" ], "url.query": "liquid=uidex", "url.registered_domain": "example.net", @@ -7697,16 +7697,16 @@ ], "source.port": 6682, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.com", "url.extension": "htm", "url.fragment": "rchite", "url.original": "https://api.example.com/ore/adeser.htm?pre=aute#rchite", "url.path": [ - "https://example.com", - "/ore/adeser.htm" + "/ore/adeser.htm", + "https://example.com" ], "url.query": "pre=aute", "url.registered_domain": "example.com", @@ -7741,20 +7741,20 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.hosts": [ - "api.example.org", - "api.example.com" + "api.example.com", + "api.example.org" ], "related.ip": [ - "10.229.39.190", - "10.195.4.70" + "10.195.4.70", + "10.229.39.190" ], "related.user": [ "edictas" ], "rsa.internal.messageid": "PUT", "rsa.misc.action": [ - "deny", - "PUT" + "PUT", + "deny" ], "rsa.misc.content_type": "exeaco", "rsa.misc.result_code": "rmagnido", @@ -7775,16 +7775,16 @@ ], "source.port": 3844, "tags": [ - "squid.log", - "forwarded" + "forwarded", + "squid.log" ], "url.domain": "api.example.com", "url.extension": "htm", "url.fragment": "aer", "url.original": "https://api.example.com/liqu/dolor.htm?ess=umdo#aer", "url.path": [ - "https://api.example.org", - "/liqu/dolor.htm" + "/liqu/dolor.htm", + "https://api.example.org" ], "url.query": "ess=umdo", "url.registered_domain": "example.com", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json index b294e0cbdca..c95a0baa7d9 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json @@ -9,8 +9,8 @@ "destination.packets": 5, "destination.port": 47592, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -37,8 +37,8 @@ "testmynids.org" ], "related.ip": [ - "52.222.141.99", - "10.31.64.240" + "10.31.64.240", + "52.222.141.99" ], "rule.category": "Potentially Bad Traffic", "rule.id": "2100498", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 457a16da86f..97b556a628a 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -18,8 +18,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -99,8 +99,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -180,8 +180,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -261,8 +261,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -342,8 +342,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -423,8 +423,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -504,8 +504,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -585,8 +585,8 @@ "destination.packets": 3, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -666,8 +666,8 @@ "destination.packets": 5, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -747,8 +747,8 @@ "destination.packets": 62, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -828,8 +828,8 @@ "destination.packets": 98, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -909,8 +909,8 @@ "destination.packets": 221, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -990,8 +990,8 @@ "destination.packets": 67, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1071,8 +1071,8 @@ "destination.packets": 119, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1152,8 +1152,8 @@ "destination.packets": 253, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1233,8 +1233,8 @@ "destination.packets": 314, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1314,8 +1314,8 @@ "destination.packets": 588, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1395,8 +1395,8 @@ "destination.packets": 591, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1476,8 +1476,8 @@ "destination.packets": 979, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1556,8 +1556,8 @@ "destination.packets": 1079, "destination.port": 80, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1699,8 +1699,8 @@ "destination.packets": 8, "destination.port": 8443, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -1724,8 +1724,8 @@ "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC" ], "related.ip": [ - "10.137.3.54", - "10.128.2.48" + "10.128.2.48", + "10.137.3.54" ], "rule.id": "2610003", "rule.name": "SURICATA TLS on unusual port", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json index cdcf57030e6..c320226749e 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -107,8 +107,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "39523", "dns.question.name": "google.com", @@ -137,9 +137,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "2607:f8b0:4006:0805:0000:0000:0000:200e", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "2607:f8b0:4006:0805:0000:0000:0000:200e" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -171,8 +171,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "51803", "dns.question.name": "google.com", @@ -201,9 +201,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "172.217.11.46", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "172.217.11.46" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -323,12 +323,6 @@ "destination.ip": "10.0.2.15", "destination.port": 50720, "dns.answers": [ - { - "data": "dualstack.r2.shared.global.fastly.net", - "name": "www.elastic.co", - "ttl": 270, - "type": "CNAME" - }, { "data": "151.101.130.217", "name": "dualstack.r2.shared.global.fastly.net", @@ -352,11 +346,17 @@ "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "A" + }, + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 270, + "type": "CNAME" } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "60273", "dns.question.name": "www.elastic.co", @@ -389,12 +389,12 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ + "10.0.2.15", + "10.0.2.3", "151.101.130.217", "151.101.194.217", "151.101.2.217", - "151.101.66.217", - "10.0.2.3", - "10.0.2.15" + "151.101.66.217" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -419,39 +419,39 @@ "destination.port": 41979, "dns.answers": [ { - "data": "dualstack.r2.shared.global.fastly.net", - "name": "www.elastic.co", - "ttl": 299, - "type": "CNAME" - }, - { - "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", + "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", + "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" + }, + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 299, + "type": "CNAME" } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "4210", "dns.question.name": "www.elastic.co", @@ -460,10 +460,10 @@ "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.resolved_ip": [ - "2a04:4e42:0600:0000:0000:0000:0000:0729", "2a04:4e42:0000:0000:0000:0000:0000:0729", "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729" + "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a04:4e42:0600:0000:0000:0000:0000:0729" ], "dns.response_code": "NOERROR", "dns.type": "answer", @@ -484,12 +484,12 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "2a04:4e42:0600:0000:0000:0000:0000:0729", + "10.0.2.15", + "10.0.2.3", "2a04:4e42:0000:0000:0000:0000:0000:0729", "2a04:4e42:0200:0000:0000:0000:0000:0729", "2a04:4e42:0400:0000:0000:0000:0000:0729", - "10.0.2.3", - "10.0.2.15" + "2a04:4e42:0600:0000:0000:0000:0000:0729" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -617,8 +617,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "28329", "dns.response_code": "NOERROR", @@ -640,8 +640,8 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "10.0.2.3", - "10.0.2.15" + "10.0.2.15", + "10.0.2.3" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -675,8 +675,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "28329", "dns.resolved_ip": [ @@ -701,9 +701,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "98.138.219.232", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "98.138.219.232" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -737,8 +737,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "28329", "dns.resolved_ip": [ @@ -763,9 +763,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "98.138.219.231", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "98.138.219.231" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -799,8 +799,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "28329", "dns.resolved_ip": [ @@ -825,9 +825,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "72.30.35.10", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "72.30.35.10" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -861,8 +861,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "28329", "dns.resolved_ip": [ @@ -887,9 +887,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "72.30.35.9", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "72.30.35.9" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -923,8 +923,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "7050", "dns.response_code": "NOERROR", @@ -946,8 +946,8 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "10.0.2.3", - "10.0.2.15" + "10.0.2.15", + "10.0.2.3" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -981,8 +981,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "7050", "dns.resolved_ip": [ @@ -1007,9 +1007,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "2001:4998:0058:1836:0000:0000:0000:0010", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "2001:4998:0058:1836:0000:0000:0000:0010" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -1043,8 +1043,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "7050", "dns.resolved_ip": [ @@ -1069,9 +1069,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "2001:4998:0044:041d:0000:0000:0000:0003", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "2001:4998:0044:041d:0000:0000:0000:0003" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -1105,8 +1105,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "7050", "dns.resolved_ip": [ @@ -1131,9 +1131,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "2001:4998:0058:1836:0000:0000:0000:0011", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "2001:4998:0058:1836:0000:0000:0000:0011" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -1167,8 +1167,8 @@ } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "7050", "dns.resolved_ip": [ @@ -1193,9 +1193,9 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "2001:4998:0044:041d:0000:0000:0000:0004", + "10.0.2.15", "10.0.2.3", - "10.0.2.15" + "2001:4998:0044:041d:0000:0000:0000:0004" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -1318,10 +1318,10 @@ "destination.port": 48288, "dns.answers": [ { - "data": "dualstack.r2.shared.global.fastly.net", - "name": "www.elastic.co", - "ttl": 150, - "type": "CNAME" + "data": "151.101.130.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" }, { "data": "151.101.194.217", @@ -1342,15 +1342,15 @@ "type": "A" }, { - "data": "151.101.130.217", - "name": "dualstack.r2.shared.global.fastly.net", - "ttl": 29, - "type": "A" + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 150, + "type": "CNAME" } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "9104", "dns.question.name": "www.elastic.co", @@ -1359,10 +1359,10 @@ "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.resolved_ip": [ + "151.101.130.217", "151.101.194.217", "151.101.2.217", - "151.101.66.217", - "151.101.130.217" + "151.101.66.217" ], "dns.response_code": "NOERROR", "dns.type": "answer", @@ -1383,12 +1383,12 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ + "10.0.2.15", + "10.0.2.3", + "151.101.130.217", "151.101.194.217", "151.101.2.217", - "151.101.66.217", - "151.101.130.217", - "10.0.2.3", - "10.0.2.15" + "151.101.66.217" ], "service.type": "suricata", "source.address": "10.0.2.3", @@ -1412,12 +1412,6 @@ "destination.ip": "10.0.2.15", "destination.port": 59203, "dns.answers": [ - { - "data": "dualstack.r2.shared.global.fastly.net", - "name": "www.elastic.co", - "ttl": 269, - "type": "CNAME" - }, { "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", @@ -1441,11 +1435,17 @@ "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" + }, + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 269, + "type": "CNAME" } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "12859", "dns.question.name": "www.elastic.co", @@ -1478,12 +1478,12 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ + "10.0.2.15", + "10.0.2.3", "2a04:4e42:0000:0000:0000:0000:0000:0729", "2a04:4e42:0200:0000:0000:0000:0000:0729", "2a04:4e42:0400:0000:0000:0000:0000:0729", - "2a04:4e42:0600:0000:0000:0000:0000:0729", - "10.0.2.3", - "10.0.2.15" + "2a04:4e42:0600:0000:0000:0000:0000:0729" ], "service.type": "suricata", "source.address": "10.0.2.3", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index cfd6fa5ff83..8fb7eb1a9ee 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -21,8 +21,8 @@ "network.protocol": "ssh", "network.transport": "tcp", "related.ip": [ - "192.168.86.85", - "192.168.253.112" + "192.168.253.112", + "192.168.86.85" ], "service.type": "suricata", "source.address": "192.168.86.85", @@ -48,8 +48,8 @@ "destination.packets": 3, "destination.port": 443, "event.category": [ - "network", - "intrusion_detection" + "intrusion_detection", + "network" ], "event.dataset": "suricata.eve", "event.kind": "alert", @@ -70,8 +70,8 @@ "network.protocol": "tls", "network.transport": "tcp", "related.ip": [ - "192.168.86.85", - "192.168.156.70" + "192.168.156.70", + "192.168.86.85" ], "rule.category": "Potential Corporate Privacy Violation", "rule.id": "2024833", @@ -134,8 +134,8 @@ "192.168.86.28" ], "related.ip": [ - "192.168.86.85", - "192.168.86.28" + "192.168.86.28", + "192.168.86.85" ], "service.type": "suricata", "source.address": "192.168.86.85", @@ -449,8 +449,8 @@ "6AFFACA65F8A05E7A98C7629B908C769ADDC7247" ], "related.ip": [ - "192.168.86.85", - "17.142.164.13" + "17.142.164.13", + "192.168.86.85" ], "service.type": "suricata", "source.address": "192.168.86.85", diff --git a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json index c3d6c804d75..ef17722e83c 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abusemalware/test/abusechmalware.ndjson.log-expected.json @@ -10,15 +10,15 @@ "input.type": "log", "log.offset": 0, "related.hash": [ - "7871286a8f1f68a14b18ae475683f724", "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "7871286a8f1f68a14b18ae475683f724" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "7871286a8f1f68a14b18ae475683f724", "threatintel.indicator.file.hash.sha256": "48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f", @@ -41,15 +41,15 @@ "input.type": "log", "log.offset": 580, "related.hash": [ - "7b4c77dc293347b467fb860e34515163", - "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "7b4c77dc293347b467fb860e34515163", + "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "7b4c77dc293347b467fb860e34515163", "threatintel.indicator.file.hash.sha256": "ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4", @@ -73,14 +73,14 @@ "log.offset": 1160, "related.hash": [ "373d34874d7bc89fd4cefa6272ee80bf", - "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d", "threatintel.abusemalware.virustotal.percent": "37.88", @@ -106,15 +106,15 @@ "input.type": "log", "log.offset": 1904, "related.hash": [ - "e2e02aae857488dbdbe6631c29abf3f8", - "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", + "e2e02aae857488dbdbe6631c29abf3f8" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "e2e02aae857488dbdbe6631c29abf3f8", "threatintel.indicator.file.hash.sha256": "7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8", @@ -138,13 +138,13 @@ "log.offset": 2493, "related.hash": [ "3e988e32b0c3c230d534e286665b89a5", - "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", - "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR" + "6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR", + "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "3e988e32b0c3c230d534e286665b89a5", "threatintel.indicator.file.hash.sha256": "760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b", @@ -166,15 +166,15 @@ "input.type": "log", "log.offset": 3054, "related.hash": [ - "dcc20d534cdf29eab03d8148bf728857", - "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac", + "dcc20d534cdf29eab03d8148bf728857" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.abusemalware.virustotal.link": "https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0", "threatintel.abusemalware.virustotal.percent": "39.13", @@ -200,15 +200,15 @@ "input.type": "log", "log.offset": 3798, "related.hash": [ - "f6facbf7a90b9e67a6de9f6634eb40ba", - "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", + "f6facbf7a90b9e67a6de9f6634eb40ba" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "f6facbf7a90b9e67a6de9f6634eb40ba", "threatintel.indicator.file.hash.sha256": "e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be", @@ -232,14 +232,14 @@ "log.offset": 4387, "related.hash": [ "44325fd5bdda2e2cdea07c3a39953bb1", - "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "44325fd5bdda2e2cdea07c3a39953bb1", "threatintel.indicator.file.hash.sha256": "beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac", @@ -263,14 +263,14 @@ "log.offset": 4967, "related.hash": [ "4c549051950522a3f1b0814aa9b1f6d1", - "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.abusemalware.signature": "Heodo", "threatintel.indicator.file.hash.md5": "4c549051950522a3f1b0814aa9b1f6d1", @@ -294,15 +294,15 @@ "input.type": "log", "log.offset": 5550, "related.hash": [ - "d7333113098d88b6a5dd5b8eb24f9b87", "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "d7333113098d88b6a5dd5b8eb24f9b87" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "d7333113098d88b6a5dd5b8eb24f9b87", "threatintel.indicator.file.hash.sha256": "426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4", @@ -325,15 +325,15 @@ "input.type": "log", "log.offset": 6139, "related.hash": [ - "c8dbb261c1f450534c3693da2f4b479f", "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "c8dbb261c1f450534c3693da2f4b479f" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "c8dbb261c1f450534c3693da2f4b479f", "threatintel.indicator.file.hash.sha256": "25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9", @@ -356,15 +356,15 @@ "input.type": "log", "log.offset": 6719, "related.hash": [ - "714953f1d0031a4bb2f0c44afd015931", - "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "714953f1d0031a4bb2f0c44afd015931", + "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "714953f1d0031a4bb2f0c44afd015931", "threatintel.indicator.file.hash.sha256": "b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5", @@ -388,14 +388,14 @@ "log.offset": 7299, "related.hash": [ "20fd22742500d4cec123398afc3d3672", - "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "20fd22742500d4cec123398afc3d3672", "threatintel.indicator.file.hash.sha256": "e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b", @@ -418,15 +418,15 @@ "input.type": "log", "log.offset": 7879, "related.hash": [ - "aa81ceea053797a6f8c38a0f2f9b80b0", - "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "aa81ceea053797a6f8c38a0f2f9b80b0", + "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "aa81ceea053797a6f8c38a0f2f9b80b0", "threatintel.indicator.file.hash.sha256": "dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e", @@ -449,15 +449,15 @@ "input.type": "log", "log.offset": 8459, "related.hash": [ - "a2ce6795664c0fa93b07fa54ba868991", "0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "a2ce6795664c0fa93b07fa54ba868991" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.abusemalware.signature": "Heodo", "threatintel.indicator.file.hash.md5": "a2ce6795664c0fa93b07fa54ba868991", @@ -481,15 +481,15 @@ "input.type": "log", "log.offset": 9042, "related.hash": [ - "9b9bac158dacb9c2f5511e9c464a7de4", "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "9b9bac158dacb9c2f5511e9c464a7de4" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "9b9bac158dacb9c2f5511e9c464a7de4", "threatintel.indicator.file.hash.sha256": "07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e", @@ -512,15 +512,15 @@ "input.type": "log", "log.offset": 9611, "related.hash": [ - "e48e3fa5e0f7b21c1ecf1efc81ff91e8", - "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", + "e48e3fa5e0f7b21c1ecf1efc81ff91e8" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "e48e3fa5e0f7b21c1ecf1efc81ff91e8", "threatintel.indicator.file.hash.sha256": "708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5", @@ -543,15 +543,15 @@ "input.type": "log", "log.offset": 10191, "related.hash": [ - "8957f5347633ab4b10c2ae4fb92c8572", - "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37", "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "8957f5347633ab4b10c2ae4fb92c8572", + "f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.abusemalware.signature": "Heodo", "threatintel.indicator.file.hash.md5": "8957f5347633ab4b10c2ae4fb92c8572", @@ -576,14 +576,14 @@ "log.offset": 10783, "related.hash": [ "09cc76b7077b4d5704e46e864575ff03", - "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "09cc76b7077b4d5704e46e864575ff03", "threatintel.indicator.file.hash.sha256": "94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1", @@ -606,15 +606,15 @@ "input.type": "log", "log.offset": 11363, "related.hash": [ - "98a1cdf7de4232363f1d1e0f33dbfd99", - "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", + "98a1cdf7de4232363f1d1e0f33dbfd99" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "98a1cdf7de4232363f1d1e0f33dbfd99", "threatintel.indicator.file.hash.sha256": "909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f", @@ -637,15 +637,15 @@ "input.type": "log", "log.offset": 11952, "related.hash": [ - "8a51830c1662513ba6bd44e2f7849547", - "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa", "6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "8a51830c1662513ba6bd44e2f7849547", + "d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.abusemalware.signature": "Heodo", "threatintel.indicator.file.hash.md5": "8a51830c1662513ba6bd44e2f7849547", @@ -669,15 +669,15 @@ "input.type": "log", "log.offset": 12544, "related.hash": [ - "ae21d742a8118d6b86674aa5370bd6a7", "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", "6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "ae21d742a8118d6b86674aa5370bd6a7" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "ae21d742a8118d6b86674aa5370bd6a7", "threatintel.indicator.file.hash.sha256": "3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51", @@ -700,15 +700,15 @@ "input.type": "log", "log.offset": 13113, "related.hash": [ - "78c9d88d24ed1d982a83216eed1590f6", - "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "78c9d88d24ed1d982a83216eed1590f6", + "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "78c9d88d24ed1d982a83216eed1590f6", "threatintel.indicator.file.hash.sha256": "d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99", @@ -732,14 +732,14 @@ "log.offset": 13693, "related.hash": [ "236577d5d83e2a8d08623a7a7f724188", - "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", "6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC", + "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", "ed2860c18f5483e3b5388bad75169dc1" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "236577d5d83e2a8d08623a7a7f724188", "threatintel.indicator.file.hash.sha256": "8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa", @@ -762,15 +762,15 @@ "input.type": "log", "log.offset": 14256, "related.hash": [ - "ff60107d82dcda7e6726d214528758e7", - "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", "6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU", - "68aea345b134d576ccdef7f06db86088" + "68aea345b134d576ccdef7f06db86088", + "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", + "ff60107d82dcda7e6726d214528758e7" ], "service.type": "threatintel", "tags": [ - "threatintel-abusemalware", - "forwarded" + "forwarded", + "threatintel-abusemalware" ], "threatintel.indicator.file.hash.md5": "ff60107d82dcda7e6726d214528758e7", "threatintel.indicator.file.hash.sha256": "fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27", diff --git a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json index 25ce780046f..e0c47170106 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/abuseurl/test/abusechurl.ndjson.log-expected.json @@ -11,16 +11,16 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961548", "threatintel.abuseurl.larted": false, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -47,16 +47,16 @@ "log.offset": 359, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961546", "threatintel.abuseurl.larted": false, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -83,16 +83,16 @@ "log.offset": 716, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961547", "threatintel.abuseurl.larted": false, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -119,16 +119,16 @@ "log.offset": 1075, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961545", "threatintel.abuseurl.larted": false, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -155,16 +155,16 @@ "log.offset": 1434, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961544", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -191,16 +191,16 @@ "log.offset": 1784, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961543", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -227,16 +227,16 @@ "log.offset": 2136, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961540", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -263,16 +263,16 @@ "log.offset": 2492, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961541", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -299,16 +299,16 @@ "log.offset": 2848, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961542", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -335,16 +335,16 @@ "log.offset": 3204, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961539", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -371,16 +371,16 @@ "log.offset": 3558, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961538", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -407,16 +407,16 @@ "log.offset": 3916, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961537", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -443,16 +443,16 @@ "log.offset": 4276, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961531", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -479,16 +479,16 @@ "log.offset": 4632, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961532", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -515,16 +515,16 @@ "log.offset": 4986, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961533", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -551,16 +551,16 @@ "log.offset": 5344, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961534", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -587,16 +587,16 @@ "log.offset": 5698, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961535", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -623,16 +623,16 @@ "log.offset": 6050, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961536", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -659,16 +659,16 @@ "log.offset": 6408, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961530", "threatintel.abuseurl.larted": false, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "offline", @@ -695,16 +695,16 @@ "log.offset": 6768, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961525", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -731,16 +731,16 @@ "log.offset": 7122, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961526", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -767,16 +767,16 @@ "log.offset": 7480, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961527", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -803,16 +803,16 @@ "log.offset": 7836, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961528", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -839,16 +839,16 @@ "log.offset": 8194, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961529", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -875,8 +875,8 @@ "log.offset": 8552, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -910,8 +910,8 @@ "log.offset": 8903, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -945,8 +945,8 @@ "log.offset": 9254, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -980,8 +980,8 @@ "log.offset": 9609, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1015,8 +1015,8 @@ "log.offset": 9960, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1050,8 +1050,8 @@ "log.offset": 10309, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1085,16 +1085,16 @@ "log.offset": 10662, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961519", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1121,8 +1121,8 @@ "log.offset": 11022, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1158,16 +1158,16 @@ "log.offset": 11386, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961517", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1194,8 +1194,8 @@ "log.offset": 11742, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1229,8 +1229,8 @@ "log.offset": 12093, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1264,8 +1264,8 @@ "log.offset": 12444, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1299,8 +1299,8 @@ "log.offset": 12791, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1334,8 +1334,8 @@ "log.offset": 13140, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1369,8 +1369,8 @@ "log.offset": 13491, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1405,8 +1405,8 @@ "log.offset": 13848, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1440,16 +1440,16 @@ "log.offset": 14197, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961507", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1476,16 +1476,16 @@ "log.offset": 14553, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961508", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1512,16 +1512,16 @@ "log.offset": 14911, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961506", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1548,16 +1548,16 @@ "log.offset": 15267, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961504", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1584,16 +1584,16 @@ "log.offset": 15621, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961505", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1620,16 +1620,16 @@ "log.offset": 15981, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961500", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1656,16 +1656,16 @@ "log.offset": 16339, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961501", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1692,16 +1692,16 @@ "log.offset": 16693, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961502", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1728,16 +1728,16 @@ "log.offset": 17051, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961503", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1764,16 +1764,16 @@ "log.offset": 17407, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961496", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1800,16 +1800,16 @@ "log.offset": 17765, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961497", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1836,16 +1836,16 @@ "log.offset": 18123, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961498", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1872,16 +1872,16 @@ "log.offset": 18479, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", "threatintel.abuseurl.id": "961499", "threatintel.abuseurl.larted": true, "threatintel.abuseurl.tags": [ - "elf", - "Mozi" + "Mozi", + "elf" ], "threatintel.abuseurl.threat": "malware_download", "threatintel.abuseurl.url_status": "online", @@ -1908,8 +1908,8 @@ "log.offset": 18837, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1942,8 +1942,8 @@ "log.offset": 19207, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -1976,8 +1976,8 @@ "log.offset": 19580, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2010,8 +2010,8 @@ "log.offset": 19961, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2044,8 +2044,8 @@ "log.offset": 20332, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2078,8 +2078,8 @@ "log.offset": 20702, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2112,8 +2112,8 @@ "log.offset": 21070, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2146,8 +2146,8 @@ "log.offset": 21442, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2180,8 +2180,8 @@ "log.offset": 21831, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2214,8 +2214,8 @@ "log.offset": 22214, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2248,8 +2248,8 @@ "log.offset": 22594, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2282,8 +2282,8 @@ "log.offset": 22968, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2316,8 +2316,8 @@ "log.offset": 23335, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2350,8 +2350,8 @@ "log.offset": 23724, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2384,8 +2384,8 @@ "log.offset": 24094, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2418,8 +2418,8 @@ "log.offset": 24466, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2452,8 +2452,8 @@ "log.offset": 24833, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2486,8 +2486,8 @@ "log.offset": 25201, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2520,8 +2520,8 @@ "log.offset": 25579, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2554,8 +2554,8 @@ "log.offset": 25949, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2588,8 +2588,8 @@ "log.offset": 26336, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2622,8 +2622,8 @@ "log.offset": 26708, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2656,8 +2656,8 @@ "log.offset": 27093, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2690,8 +2690,8 @@ "log.offset": 27476, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2724,8 +2724,8 @@ "log.offset": 27859, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2758,8 +2758,8 @@ "log.offset": 28247, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2792,8 +2792,8 @@ "log.offset": 28618, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2826,8 +2826,8 @@ "log.offset": 28985, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2860,8 +2860,8 @@ "log.offset": 29357, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2894,8 +2894,8 @@ "log.offset": 29727, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2928,8 +2928,8 @@ "log.offset": 30100, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2962,8 +2962,8 @@ "log.offset": 30479, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -2996,8 +2996,8 @@ "log.offset": 30853, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3030,8 +3030,8 @@ "log.offset": 31227, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3064,8 +3064,8 @@ "log.offset": 31599, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3098,8 +3098,8 @@ "log.offset": 31966, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3132,8 +3132,8 @@ "log.offset": 32353, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3166,8 +3166,8 @@ "log.offset": 32726, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3200,8 +3200,8 @@ "log.offset": 33096, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3234,8 +3234,8 @@ "log.offset": 33463, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3268,8 +3268,8 @@ "log.offset": 33833, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3302,8 +3302,8 @@ "log.offset": 34205, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3336,8 +3336,8 @@ "log.offset": 34573, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3370,8 +3370,8 @@ "log.offset": 34940, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3404,8 +3404,8 @@ "log.offset": 35312, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3438,8 +3438,8 @@ "log.offset": 35685, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", @@ -3472,8 +3472,8 @@ "log.offset": 36053, "service.type": "threatintel", "tags": [ - "threatintel-abuseurls", - "forwarded" + "forwarded", + "threatintel-abuseurls" ], "threatintel.abuseurl.blacklists.spamhaus_dbl": "not listed", "threatintel.abuseurl.blacklists.surbl": "not listed", diff --git a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json index c40db227906..d647be09675 100644 --- a/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/anomali/test/anomali_limo.ndjson.log-expected.json @@ -10,15 +10,15 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-76" + "threatstream-confidence-76", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:58:57.431Z", "threatintel.anomali.name": "mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php", @@ -46,15 +46,15 @@ "log.offset": 609, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--f9fe5c81-6869-4247-af81-62b7c8aba209", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-68" + "threatstream-confidence-68", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:58:57.503Z", "threatintel.anomali.name": "mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php", @@ -82,15 +82,15 @@ "log.offset": 1255, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--b0e14122-9005-4776-99fc-00872476c6d1", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-71" + "threatstream-confidence-71", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:58:57.570Z", "threatintel.anomali.name": "mal_url: http://f0387770.xsph.ru/login", @@ -117,15 +117,15 @@ "log.offset": 1867, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime", "threatintel.anomali.id": "indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-50" + "threatstream-confidence-50", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:58:59.366Z", "threatintel.anomali.name": "mal_url: http://178.62.187.103/login", @@ -152,15 +152,15 @@ "log.offset": 2441, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--189ce776-6d7e-4e85-9222-de5876644988", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-66" + "threatstream-confidence-66", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:58:59.457Z", "threatintel.anomali.name": "mal_url: http://appareluea.com/panel/admin.php", @@ -188,15 +188,15 @@ "log.offset": 3015, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--a4144d34-b86d-475e-8047-eb46b48ee325", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-93" + "threatstream-confidence-93", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:06.402Z", "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot3/login.php", @@ -224,15 +224,15 @@ "log.offset": 3598, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime", "threatintel.anomali.id": "indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-49" + "threatstream-confidence-49", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:19.990Z", "threatintel.anomali.name": "mal_ip: 162.144.128.116", @@ -256,15 +256,15 @@ "log.offset": 4149, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-79" + "threatstream-confidence-79", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:20.155Z", "threatintel.anomali.name": "mal_url: http://ntrcgroup.com/nze/panel/admin.php", @@ -292,15 +292,15 @@ "log.offset": 4747, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-76" + "threatstream-confidence-76", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:25.521Z", "threatintel.anomali.name": "mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php", @@ -328,15 +328,15 @@ "log.offset": 5356, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-68" + "threatstream-confidence-68", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:25.626Z", "threatintel.anomali.name": "mal_url: http://f0390764.xsph.ru/login", @@ -363,15 +363,15 @@ "log.offset": 5971, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-85" + "threatstream-confidence-85", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:36.461Z", "threatintel.anomali.name": "mal_ip: 45.143.138.39", @@ -395,15 +395,15 @@ "log.offset": 6501, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime", "threatintel.anomali.id": "indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-82" + "threatstream-confidence-82", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:41.193Z", "threatintel.anomali.name": "mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php", @@ -431,15 +431,15 @@ "log.offset": 7147, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime", "threatintel.anomali.id": "indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-61" + "threatstream-confidence-61", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:41.228Z", "threatintel.anomali.name": "mal_url: http://95.182.122.184/", @@ -466,15 +466,15 @@ "log.offset": 7711, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--408ebd2d-063f-4646-b2e7-c00519869736", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-62" + "threatstream-confidence-62", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:51.313Z", "threatintel.anomali.name": "mal_ip: 198.54.115.121", @@ -498,15 +498,15 @@ "log.offset": 8259, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "threatintel.anomali.id": "indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-38" + "threatstream-confidence-38", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:51.372Z", "threatintel.anomali.name": "mal_ip: 192.185.119.172", @@ -530,15 +530,15 @@ "log.offset": 8812, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-61" + "threatstream-confidence-61", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T02:59:51.442Z", "threatintel.anomali.name": "mal_url: http://f0389246.xsph.ru/login", @@ -565,15 +565,15 @@ "log.offset": 9427, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--213519c9-f511-4188-89c8-159f35f08008", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-66" + "threatstream-confidence-66", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:01.563Z", "threatintel.anomali.name": "mal_url: http://appareluea.com/server/cp.php", @@ -601,15 +601,15 @@ "log.offset": 9997, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--5a563c85-c528-4e33-babe-2dcff34f73c4", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-93" + "threatstream-confidence-93", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:03.138Z", "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot2/login.php", @@ -637,15 +637,15 @@ "log.offset": 10580, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-76" + "threatstream-confidence-76", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:03.396Z", "threatintel.anomali.name": "mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php", @@ -673,15 +673,15 @@ "log.offset": 11189, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-87" + "threatstream-confidence-87", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:03.642Z", "threatintel.anomali.name": "mal_url: http://mecharnise.ir/ca4/panel/admin.php", @@ -709,15 +709,15 @@ "log.offset": 11769, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-76" + "threatstream-confidence-76", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:27.534Z", "threatintel.anomali.name": "mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php", @@ -745,15 +745,15 @@ "log.offset": 12378, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime", "threatintel.anomali.id": "indicator--d6b59b66-5020-4368-85a7-196026856ea9", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-78" + "threatstream-confidence-78", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:27.591Z", "threatintel.anomali.name": "mal_url: http://kironofer.com/webpanel/login.php", @@ -781,15 +781,15 @@ "log.offset": 12985, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-68" + "threatstream-confidence-68", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:45.787Z", "threatintel.anomali.name": "mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php", @@ -817,15 +817,15 @@ "log.offset": 13633, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime", "threatintel.anomali.id": "indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-91" + "threatstream-confidence-91", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:45.841Z", "threatintel.anomali.name": "mal_url: http://smartlinktelecom.top/kings/panel/admin.php", @@ -853,15 +853,15 @@ "log.offset": 14255, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--17777e7f-3e91-4446-a43d-79139de8a948", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-64" + "threatstream-confidence-64", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:45.959Z", "threatintel.anomali.name": "mal_url: http://carirero.net/login.php", @@ -889,15 +889,15 @@ "log.offset": 14830, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime", "threatintel.anomali.id": "indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-30" + "threatstream-confidence-30", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:46.025Z", "threatintel.anomali.name": "mal_ip: 74.116.84.20", @@ -921,15 +921,15 @@ "log.offset": 15387, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--b4fd8489-9589-4f70-996c-84989245a21b", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-43" + "threatstream-confidence-43", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:00:57.729Z", "threatintel.anomali.name": "mal_url: http://tuu.nu/login", @@ -956,15 +956,15 @@ "log.offset": 15942, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime", "threatintel.anomali.id": "indicator--bc50c62f-a015-4460-87df-2137626877e3", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-36" + "threatstream-confidence-36", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:01:02.696Z", "threatintel.anomali.name": "mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php", @@ -992,15 +992,15 @@ "log.offset": 16606, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", "threatintel.anomali.id": "indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-65" + "threatstream-confidence-65", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:01:02.807Z", "threatintel.anomali.name": "mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php", @@ -1028,15 +1028,15 @@ "log.offset": 17261, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--9c0e63a1-c32a-470a-bf09-51488e239c63", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-93" + "threatstream-confidence-93", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:01:24.810Z", "threatintel.anomali.name": "mal_url: http://nkpotu.xyz/Kpot1/login.php", @@ -1064,15 +1064,15 @@ "log.offset": 17841, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime", "threatintel.anomali.id": "indicator--8047678e-20be-4116-9bc4-7bb7c26554e0", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-87" + "threatstream-confidence-87", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:01:41.158Z", "threatintel.anomali.name": "mal_ip: 194.87.147.80", @@ -1096,15 +1096,15 @@ "log.offset": 18385, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime", "threatintel.anomali.id": "indicator--c57a880c-1ce0-45de-9bab-fb2910454a61", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-85" + "threatstream-confidence-85", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:01:57.189Z", "threatintel.anomali.name": "mal_url: http://35.158.92.3/panel/admin.php", @@ -1132,15 +1132,15 @@ "log.offset": 18973, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-42" + "threatstream-confidence-42", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:01:57.279Z", "threatintel.anomali.name": "mal_ip: 45.95.168.70", @@ -1164,15 +1164,15 @@ "log.offset": 19501, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--23215acb-4989-4434-ac6d-8f9367734f0f", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-76" + "threatstream-confidence-76", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:02:50.570Z", "threatintel.anomali.name": "mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php", @@ -1200,15 +1200,15 @@ "log.offset": 20107, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-26" + "threatstream-confidence-26", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:02:52.496Z", "threatintel.anomali.name": "mal_url: http://f0391600.xsph.ru/login", @@ -1235,15 +1235,15 @@ "log.offset": 20722, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--10958d74-ec60-41af-a1ab-1613257e670f", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-94" + "threatstream-confidence-94", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:03:42.819Z", "threatintel.anomali.name": "mal_url: http://extraclick.space/login.php", @@ -1271,15 +1271,15 @@ "log.offset": 21304, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime", "threatintel.anomali.id": "indicator--19556daa-6293-400d-8706-d0baa6b16b7a", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-87" + "threatstream-confidence-87", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:03:52.044Z", "threatintel.anomali.name": "mal_url: http://petrogarmani.pw/login.php", @@ -1307,15 +1307,15 @@ "log.offset": 21882, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-68" + "threatstream-confidence-68", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:04:01.650Z", "threatintel.anomali.name": "mal_url: http://worldatdoor.in/mighty/32/panel/admin.php", @@ -1343,15 +1343,15 @@ "log.offset": 22491, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime", "threatintel.anomali.id": "indicator--43febf7d-4185-4a12-a868-e7be690b14aa", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-92" + "threatstream-confidence-92", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:04:32.717Z", "threatintel.anomali.name": "mal_url: http://zanlma.com/login", @@ -1378,15 +1378,15 @@ "log.offset": 23094, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--a34728e6-f91d-47e6-a4d8-a69176299e45", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-84" + "threatstream-confidence-84", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:04:56.858Z", "threatintel.anomali.name": "mal_url: http://f0369688.xsph.ru/login", @@ -1413,15 +1413,15 @@ "log.offset": 23709, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-76" + "threatstream-confidence-76", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-22T03:04:59.245Z", "threatintel.anomali.name": "mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php", @@ -1449,15 +1449,15 @@ "log.offset": 24318, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "threatintel.anomali.id": "indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-57" + "threatstream-confidence-57", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:00:22.287Z", "threatintel.anomali.name": "mal_ip: 192.185.214.199", @@ -1481,15 +1481,15 @@ "log.offset": 24871, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime", "threatintel.anomali.id": "indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-24" + "threatstream-confidence-24", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:01:11.329Z", "threatintel.anomali.name": "mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php", @@ -1517,15 +1517,15 @@ "log.offset": 25529, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", "threatintel.anomali.id": "indicator--88e98e13-4bfd-4188-941a-f696a7b86b71", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-61" + "threatstream-confidence-61", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:01:36.682Z", "threatintel.anomali.name": "mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php", @@ -1553,15 +1553,15 @@ "log.offset": 26146, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--27323b7d-85d3-4e89-8249-b7696925a772", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-93" + "threatstream-confidence-93", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:02:15.854Z", "threatintel.anomali.name": "mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php", @@ -1589,15 +1589,15 @@ "log.offset": 26788, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--b0639721-de55-48c6-b237-3859d61aecfb", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-62" + "threatstream-confidence-62", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:02:47.364Z", "threatintel.anomali.name": "mal_url: http://f0392261.xsph.ru/login", @@ -1624,15 +1624,15 @@ "log.offset": 27403, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "threatintel.anomali.id": "indicator--677e714d-c237-42a1-b6b7-9145acd13eee", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-80" + "threatstream-confidence-80", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:03:05.048Z", "threatintel.anomali.name": "mal_url: http://104.168.99.168/panel/panel/admin.php", @@ -1660,15 +1660,15 @@ "log.offset": 28008, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-69" + "threatstream-confidence-69", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:03:15.734Z", "threatintel.anomali.name": "mal_url: http://f0387404.xsph.ru/panel/admin.php", @@ -1696,15 +1696,15 @@ "log.offset": 28643, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-72" + "threatstream-confidence-72", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-23T03:03:42.599Z", "threatintel.anomali.name": "mal_url: http://a0386457.xsph.ru/panel/admin.php", @@ -1732,15 +1732,15 @@ "log.offset": 29278, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-74" + "threatstream-confidence-74", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:04.821Z", "threatintel.anomali.name": "mal_url: http://defenseisrael.com/dis/index.php", @@ -1768,15 +1768,15 @@ "log.offset": 29854, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", "threatintel.anomali.id": "indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-83" + "threatstream-confidence-83", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:04.857Z", "threatintel.anomali.name": "mal_ip: 91.215.170.249", @@ -1800,15 +1800,15 @@ "log.offset": 30419, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "threatintel.anomali.id": "indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-79" + "threatstream-confidence-79", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:04.883Z", "threatintel.anomali.name": "mal_url: http://lbfb3f03.justinstalledpanel.com/login", @@ -1835,15 +1835,15 @@ "log.offset": 31024, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-93" + "threatstream-confidence-93", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:12.997Z", "threatintel.anomali.name": "mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php", @@ -1871,15 +1871,15 @@ "log.offset": 31656, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-87" + "threatstream-confidence-87", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:13.025Z", "threatintel.anomali.name": "mal_url: http://199.192.28.11/panel/admin.php", @@ -1907,15 +1907,15 @@ "log.offset": 32244, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-82" + "threatstream-confidence-82", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:32.901Z", "threatintel.anomali.name": "mal_url: http://217.8.117.51/aW8bVds1/login.php", @@ -1943,15 +1943,15 @@ "log.offset": 32820, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime", "threatintel.anomali.id": "indicator--a050832c-db6e-49a0-8470-7a3cd8f17178", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-93" + "threatstream-confidence-93", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:32.929Z", "threatintel.anomali.name": "mal_url: http://lansome.site/login", @@ -1978,15 +1978,15 @@ "log.offset": 33391, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", "threatintel.anomali.id": "indicator--e88008f4-76fc-428d-831a-4b389e48b712", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-83" + "threatstream-confidence-83", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:57:49.028Z", "threatintel.anomali.name": "mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", @@ -2014,15 +2014,15 @@ "log.offset": 34081, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "threatintel.anomali.id": "indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-94" + "threatstream-confidence-94", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:58:03.345Z", "threatintel.anomali.name": "mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php", @@ -2050,15 +2050,15 @@ "log.offset": 34720, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", "threatintel.anomali.id": "indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-81" + "threatstream-confidence-81", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:58:16.318Z", "threatintel.anomali.name": "mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php", @@ -2086,15 +2086,15 @@ "log.offset": 35346, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime", "threatintel.anomali.id": "indicator--4adabe80-3be4-401a-948a-f9724c872374", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-66" + "threatstream-confidence-66", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:58:16.358Z", "threatintel.anomali.name": "mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php", @@ -2122,15 +2122,15 @@ "log.offset": 36034, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-82" + "threatstream-confidence-82", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:58:32.126Z", "threatintel.anomali.name": "mal_url: http://suspiciousactivity.xyz/login", @@ -2157,15 +2157,15 @@ "log.offset": 36604, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-82" + "threatstream-confidence-82", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:58:37.603Z", "threatintel.anomali.name": "mal_url: http://217.8.117.8/login", @@ -2192,15 +2192,15 @@ "log.offset": 37152, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--33e674f5-a64a-48f4-9d8c-248348356135", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-71" + "threatstream-confidence-71", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:58:37.643Z", "threatintel.anomali.name": "mal_url: http://f0387550.xsph.ru/login", @@ -2227,15 +2227,15 @@ "log.offset": 37767, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "threatintel.anomali.id": "indicator--6311f539-1d5d-423f-a238-d0c1dc167432", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-84" + "threatstream-confidence-84", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:58:39.465Z", "threatintel.anomali.name": "mal_url: http://lf4e4abf.justinstalledpanel.com/login", @@ -2262,15 +2262,15 @@ "log.offset": 38372, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime", "threatintel.anomali.id": "indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-81" + "threatstream-confidence-81", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:02.031Z", "threatintel.anomali.name": "mal_ip: 206.217.131.245", @@ -2294,15 +2294,15 @@ "log.offset": 38925, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime", "threatintel.anomali.id": "indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-52" + "threatstream-confidence-52", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:15.878Z", "threatintel.anomali.name": "mal_url: http://67.215.224.101/a1/panel/admin.php", @@ -2330,15 +2330,15 @@ "log.offset": 39521, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime", "threatintel.anomali.id": "indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-58" + "threatstream-confidence-58", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:29.155Z", "threatintel.anomali.name": "mal_ip: 162.241.73.163", @@ -2362,15 +2362,15 @@ "log.offset": 40072, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "threatintel.anomali.id": "indicator--d5bdff38-6939-4a47-8e11-b910520565c4", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-78" + "threatstream-confidence-78", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:50.233Z", "threatintel.anomali.name": "mal_url: http://l60bdd58.justinstalledpanel.com/login", @@ -2397,15 +2397,15 @@ "log.offset": 40677, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "threatintel.anomali.id": "indicator--1be74977-5aa6-4175-99dd-32b54863a06b", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-25" + "threatstream-confidence-25", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:50.255Z", "threatintel.anomali.name": "mal_url: http://107.175.150.73/~giftioz/.azma/panel/admin.php", @@ -2433,15 +2433,15 @@ "log.offset": 41300, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "threatintel.anomali.id": "indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-78" + "threatstream-confidence-78", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:52.536Z", "threatintel.anomali.name": "mal_url: http://5.188.60.52/login", @@ -2468,15 +2468,15 @@ "log.offset": 41865, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime", "threatintel.anomali.id": "indicator--504f4011-eaea-4921-aad5-f102bef7c798", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-85" + "threatstream-confidence-85", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:54.784Z", "threatintel.anomali.name": "mal_url: http://trotdeiman.ga/login", @@ -2503,15 +2503,15 @@ "log.offset": 42434, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-82" + "threatstream-confidence-82", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T02:59:54.815Z", "threatintel.anomali.name": "mal_ip: 217.8.117.8", @@ -2535,15 +2535,15 @@ "log.offset": 42960, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime", "threatintel.anomali.id": "indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-83" + "threatstream-confidence-83", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:00:01.726Z", "threatintel.anomali.name": "mal_ip: 104.223.170.113", @@ -2567,15 +2567,15 @@ "log.offset": 43521, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", "threatintel.anomali.id": "indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-58" + "threatstream-confidence-58", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:00:01.762Z", "threatintel.anomali.name": "mal_url: http://tavim.org/includes/firmino/admin.php", @@ -2603,15 +2603,15 @@ "log.offset": 44126, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-84" + "threatstream-confidence-84", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:00:10.928Z", "threatintel.anomali.name": "mal_url: http://onlinesecuritycenter.xyz/login", @@ -2638,15 +2638,15 @@ "log.offset": 44700, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime", "threatintel.anomali.id": "indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-81" + "threatstream-confidence-81", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:00:20.166Z", "threatintel.anomali.name": "mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php", @@ -2674,15 +2674,15 @@ "log.offset": 45330, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-90" + "threatstream-confidence-90", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:00:24.048Z", "threatintel.anomali.name": "mal_url: http://jumbajumbadun.fun/login", @@ -2709,15 +2709,15 @@ "log.offset": 45890, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime", "threatintel.anomali.id": "indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-58" + "threatstream-confidence-58", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:00:55.816Z", "threatintel.anomali.name": "mal_url: http://tavim.org/includes/salah/admin.php", @@ -2745,15 +2745,15 @@ "log.offset": 46491, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "threatintel.anomali.id": "indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-80" + "threatstream-confidence-80", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:01:10.501Z", "threatintel.anomali.name": "mal_url: http://l0c23205.justinstalledpanel.com/login", @@ -2780,15 +2780,15 @@ "log.offset": 47096, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime", "threatintel.anomali.id": "indicator--7471a595-e8b0-4c41-be4c-0a3e55675630", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-83" + "threatstream-confidence-83", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:01:10.518Z", "threatintel.anomali.name": "mal_url: http://l535e9e5.justinstalledpanel.com/login", @@ -2815,15 +2815,15 @@ "log.offset": 47701, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime", "threatintel.anomali.id": "indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-76" + "threatstream-confidence-76", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-24T03:01:14.843Z", "threatintel.anomali.name": "mal_ip: 217.8.117.47", @@ -2847,15 +2847,15 @@ "log.offset": 48229, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", "threatintel.anomali.id": "indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-67" + "threatstream-confidence-67", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:12.699Z", "threatintel.anomali.name": "mal_url: http://46.161.27.57/northon/", @@ -2882,15 +2882,15 @@ "log.offset": 48824, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime", "threatintel.anomali.id": "indicator--54afbceb-72f3-484e-aee4-904f77beeff6", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-90" + "threatstream-confidence-90", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:28.034Z", "threatintel.anomali.name": "mal_url: http://104.168.99.170/login", @@ -2917,15 +2917,15 @@ "log.offset": 49397, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--da030e10-af9f-462d-bda8-33abb223e950", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-89" + "threatstream-confidence-89", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:38.187Z", "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php", @@ -2953,15 +2953,15 @@ "log.offset": 50023, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--d38e051a-bc5b-4723-884a-65e017d98299", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-65" + "threatstream-confidence-65", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:38.214Z", "threatintel.anomali.name": "mal_url: http://f0391587.xsph.ru/login", @@ -2988,15 +2988,15 @@ "log.offset": 50638, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime", "threatintel.anomali.id": "indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-67" + "threatstream-confidence-67", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:47.281Z", "threatintel.anomali.name": "mal_url: http://46.161.27.57:8080/northon/", @@ -3024,15 +3024,15 @@ "log.offset": 51243, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime", "threatintel.anomali.id": "indicator--b9715fd5-b89a-4859-b19f-55e052709227", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-79" + "threatstream-confidence-79", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:51.296Z", "threatintel.anomali.name": "mal_url: http://f0393086.xsph.ru/login", @@ -3059,15 +3059,15 @@ "log.offset": 51858, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--e3177515-f481-46c8-bad8-582ba0858ef3", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-87" + "threatstream-confidence-87", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:56.007Z", "threatintel.anomali.name": "mal_url: http://insuncos.com/files1/panel/admin.php", @@ -3095,15 +3095,15 @@ "log.offset": 52460, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime", "threatintel.anomali.id": "indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-89" + "threatstream-confidence-89", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:57:56.044Z", "threatintel.anomali.name": "mal_url: http://tg-h.ru/login", @@ -3130,15 +3130,15 @@ "log.offset": 53022, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-86" + "threatstream-confidence-86", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:58:11.038Z", "threatintel.anomali.name": "mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php", @@ -3166,15 +3166,15 @@ "log.offset": 53740, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", "threatintel.anomali.id": "indicator--f1bdef49-666f-46b5-a323-efa1f1446b62", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-64" + "threatstream-confidence-64", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:58:20.420Z", "threatintel.anomali.name": "mal_url: http://185.234.217.36/northon/", @@ -3201,15 +3201,15 @@ "log.offset": 54330, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime", "threatintel.anomali.id": "indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-84" + "threatstream-confidence-84", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:58:20.448Z", "threatintel.anomali.name": "mal_url: http://topik07.mcdir.ru/papka/admin.php", @@ -3237,15 +3237,15 @@ "log.offset": 54924, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-87" + "threatstream-confidence-87", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:58:33.189Z", "threatintel.anomali.name": "mal_url: http://insuncos.com/files2/panel/admin.php", @@ -3273,15 +3273,15 @@ "log.offset": 55526, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime", "threatintel.anomali.id": "indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-47" + "threatstream-confidence-47", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:58:49.056Z", "threatintel.anomali.name": "mal_url: http://185.234.218.68/kaspersky/", @@ -3308,15 +3308,15 @@ "log.offset": 56123, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--f502199a-17a4-404b-a114-fb5eda28c32c", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-89" + "threatstream-confidence-89", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:58:59.472Z", "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php", @@ -3344,15 +3344,15 @@ "log.offset": 56745, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--af7422eb-5d8e-4878-bdd1-395313434dae", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-89" + "threatstream-confidence-89", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:59:27.070Z", "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php", @@ -3380,15 +3380,15 @@ "log.offset": 57364, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-89" + "threatstream-confidence-89", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:59:28.967Z", "threatintel.anomali.name": "mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php", @@ -3416,15 +3416,15 @@ "log.offset": 57988, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime", "threatintel.anomali.id": "indicator--9d948509-dfb4-45b6-b8bc-780df88a213f", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-81" + "threatstream-confidence-81", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:59:37.661Z", "threatintel.anomali.name": "mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php", @@ -3452,15 +3452,15 @@ "log.offset": 58627, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime", "threatintel.anomali.id": "indicator--9f613f8e-2040-4eee-8044-044023a8093e", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-53" + "threatstream-confidence-53", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:59:37.692Z", "threatintel.anomali.name": "mal_ip: 192.64.118.56", @@ -3484,15 +3484,15 @@ "log.offset": 59173, "service.type": "threatintel", "tags": [ - "threatintel-anomali", - "forwarded" + "forwarded", + "threatintel-anomali" ], "threatintel.anomali.description": "TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime", "threatintel.anomali.id": "indicator--518c3959-6c26-413f-9a5f-c8f76d86185a", "threatintel.anomali.labels": [ "malicious-activity", - "threatstream-severity-medium", - "threatstream-confidence-87" + "threatstream-confidence-87", + "threatstream-severity-medium" ], "threatintel.anomali.modified": "2020-01-25T02:59:54.296Z", "threatintel.anomali.name": "mal_url: http://insuncos.com/files3/panel/admin.php", diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json index a5978301da2..1d84eda36cb 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/test/malwarebazaar.ndjson.log-expected.json @@ -10,15 +10,15 @@ "log.offset": 0, "related.hash": [ "0af07660056a692b7cb82fa329221ddd", - "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", "3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG", - "f34d5f2d4577ed6d9ceec516c1f5a744", - "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686" + "5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b", + "F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686", + "f34d5f2d4577ed6d9ceec516c1f5a744" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "exe", "threatintel.indicator.file.hash.md5": "0af07660056a692b7cb82fa329221ddd", @@ -53,15 +53,15 @@ "input.type": "log", "log.offset": 871, "related.hash": [ - "296aad7075596d21516b30bfbc17fcac", - "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f", "12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr", - "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF" + "296aad7075596d21516b30bfbc17fcac", + "74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF", + "83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "zip", "threatintel.indicator.file.hash.md5": "296aad7075596d21516b30bfbc17fcac", @@ -92,16 +92,16 @@ "input.type": "log", "log.offset": 1701, "related.hash": [ - "a4838dd31c672122441bebcbf7e9d277", - "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b", - "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", + "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7", "0b5a952a025c2783c3126cdb9bef2844", - "0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7" + "12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG", + "a4838dd31c672122441bebcbf7e9d277", + "f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "dll", "threatintel.indicator.file.hash.md5": "a4838dd31c672122441bebcbf7e9d277", @@ -137,15 +137,15 @@ "input.type": "log", "log.offset": 2563, "related.hash": [ - "8d7c8b55ac49d241fb7f75a27a5ef8d5", - "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00", "192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7", - "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD" + "8d7c8b55ac49d241fb7f75a27a5ef8d5", + "AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD", + "e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "unknown", "threatintel.indicator.file.hash.md5": "8d7c8b55ac49d241fb7f75a27a5ef8d5", @@ -180,15 +180,15 @@ "input.type": "log", "log.offset": 3414, "related.hash": [ - "fe185f106730583156f39233f77f8019", - "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", + "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144", "196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2", - "13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144" + "42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4", + "fe185f106730583156f39233f77f8019" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "docx", "threatintel.indicator.file.hash.md5": "fe185f106730583156f39233f77f8019", @@ -222,16 +222,16 @@ "input.type": "log", "log.offset": 4311, "related.hash": [ - "70da6872b6b2da9ddc94d14b02302917", - "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", "1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E", + "2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c", "6476b7c4dd55eafbdf922a7ba1e2d5f9", + "70da6872b6b2da9ddc94d14b02302917", "A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "dll", "threatintel.indicator.file.hash.md5": "70da6872b6b2da9ddc94d14b02302917", @@ -267,15 +267,15 @@ "input.type": "log", "log.offset": 5209, "related.hash": [ - "de80e1d7d9f5b1c64ec9f8d4f5063989", - "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", "24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO", - "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7" + "30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606", + "8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7", + "de80e1d7d9f5b1c64ec9f8d4f5063989" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "docx", "threatintel.indicator.file.hash.md5": "de80e1d7d9f5b1c64ec9f8d4f5063989", @@ -306,16 +306,16 @@ "input.type": "log", "log.offset": 6096, "related.hash": [ + "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", + "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646", "2759c73c986c6a757bf9d25621c5595a", "84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b", - "12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0", - "f34d5f2d4577ed6d9ceec516c1f5a744", - "23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646" + "f34d5f2d4577ed6d9ceec516c1f5a744" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "exe", "threatintel.indicator.file.hash.md5": "2759c73c986c6a757bf9d25621c5595a", @@ -339,8 +339,8 @@ "threatintel.malwarebazaar.intelligence.mail.Generic": "low", "threatintel.malwarebazaar.intelligence.uploads": 1, "threatintel.malwarebazaar.tags": [ - "exe", - "SnakeKeylogger" + "SnakeKeylogger", + "exe" ] }, { @@ -353,16 +353,16 @@ "input.type": "log", "log.offset": 7020, "related.hash": [ - "596b3dbf07a287dcf76860b5e54762c3", "0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8", "12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN", - "f34d5f2d4577ed6d9ceec516c1f5a744", - "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655" + "596b3dbf07a287dcf76860b5e54762c3", + "A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655", + "f34d5f2d4577ed6d9ceec516c1f5a744" ], "service.type": "threatintel", "tags": [ - "threatintel-malwarebazaar", - "forwarded" + "forwarded", + "threatintel-malwarebazaar" ], "threatintel.indicator.file.extension": "exe", "threatintel.indicator.file.hash.md5": "596b3dbf07a287dcf76860b5e54762c3", diff --git a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json index 27638c4be7b..06d0b79dc22 100644 --- a/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log-expected.json @@ -11,11 +11,11 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ + "malware_classification:malware-category=Ransomware", "misp-galaxy:ransomware=Dharma Ransomware", - "type:OSINT", + "osint:source-type=blog - post", "tlp:white", - "malware_classification:malware-category=Ransomware", - "osint:source-type=blog - post" + "type:OSINT" ], "threatintel.indicator.file.hash.md5": "f2679bdabe46e10edc6352fff3c829bc", "threatintel.indicator.marking.tlp": [ @@ -69,11 +69,11 @@ "log.offset": 8248, "service.type": "threatintel", "tags": [ + "malware_classification:malware-category=Ransomware", "misp-galaxy:ransomware=Dharma Ransomware", - "type:OSINT", + "osint:source-type=blog - post", "tlp:white", - "malware_classification:malware-category=Ransomware", - "osint:source-type=blog - post" + "type:OSINT" ], "threatintel.indicator.domain": "your-ip.getmyip.com", "threatintel.indicator.ip": "178.128.103.74", @@ -186,8 +186,8 @@ "log.offset": 20139, "service.type": "threatintel", "tags": [ - "type:OSINT", - "tlp:green" + "tlp:green", + "type:OSINT" ], "threatintel.indicator.file.hash.sha256": "0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0", "threatintel.indicator.marking.tlp": [ @@ -241,8 +241,8 @@ "log.offset": 21711, "service.type": "threatintel", "tags": [ - "type:OSINT", - "tlp:green" + "tlp:green", + "type:OSINT" ], "threatintel.indicator.ip": "223.25.233.248", "threatintel.indicator.marking.tlp": [ @@ -296,8 +296,8 @@ "log.offset": 23232, "service.type": "threatintel", "tags": [ - "type:OSINT", - "tlp:green" + "tlp:green", + "type:OSINT" ], "threatintel.indicator.domain": "xenserver.ddns.net", "threatintel.indicator.marking.tlp": [ @@ -351,8 +351,8 @@ "log.offset": 24759, "service.type": "threatintel", "tags": [ - "type:OSINT", - "tlp:green" + "tlp:green", + "type:OSINT" ], "threatintel.indicator.marking.tlp": [ "green" @@ -406,8 +406,8 @@ "log.offset": 26271, "service.type": "threatintel", "tags": [ - "type:OSINT", - "tlp:green" + "tlp:green", + "type:OSINT" ], "threatintel.indicator.file.hash.sha1": "0ea76f1586c008932d90c991dfdd5042f3aac8ea", "threatintel.indicator.marking.tlp": [ @@ -461,8 +461,8 @@ "log.offset": 27875, "service.type": "threatintel", "tags": [ - "type:OSINT", - "tlp:green" + "tlp:green", + "type:OSINT" ], "threatintel.indicator.domain": "whatsapp.com", "threatintel.indicator.marking.tlp": [ @@ -516,8 +516,8 @@ "log.offset": 29397, "service.type": "threatintel", "tags": [ - "misp-galaxy:threat-actor=Turla Group", "Turla", + "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], "threatintel.indicator.marking.tlp": [ @@ -576,8 +576,8 @@ "log.offset": 31486, "service.type": "threatintel", "tags": [ - "misp-galaxy:threat-actor=Turla Group", "Turla", + "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], "threatintel.indicator.marking.tlp": [ @@ -631,8 +631,8 @@ "log.offset": 33567, "service.type": "threatintel", "tags": [ - "misp-galaxy:threat-actor=Turla Group", "Turla", + "misp-galaxy:threat-actor=Turla Group", "tlp:white" ], "threatintel.indicator.file.hash.sha1": "c51d288469df9f25e2fb7ac491918b3e579282ea", diff --git a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json index ca9e4425b46..0b8ce8ddb19 100644 --- a/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json +++ b/x-pack/filebeat/module/threatintel/otx/test/otx_sample.ndjson.log-expected.json @@ -10,8 +10,8 @@ "log.offset": 0, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "86.104.194.30", "threatintel.indicator.type": "ipv4-addr" @@ -27,8 +27,8 @@ "log.offset": 102, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "90421f8531f963d81cf54245b72cde80", "threatintel.indicator.type": "file", @@ -46,8 +46,8 @@ "log.offset": 312, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "ip.anysrc.net", "threatintel.indicator.type": "domain-name" @@ -63,8 +63,8 @@ "log.offset": 419, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "107.173.58.176", "threatintel.indicator.type": "ipv4-addr" @@ -80,8 +80,8 @@ "log.offset": 523, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "d8c70ca70fd3555a0828fede6cc1f59e2c320ede80157039b6a2f09c336d5f7a", "threatintel.indicator.type": "file" @@ -97,8 +97,8 @@ "log.offset": 688, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "f8e58af3ffefd4037fef246e93a55dc8", "threatintel.indicator.type": "file", @@ -115,8 +115,8 @@ "log.offset": 887, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54", "threatintel.indicator.type": "file" @@ -132,8 +132,8 @@ "log.offset": 1053, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "8d24a14f2600482d0231396b6350cf21773335ec2f0b8919763317fdab78baae", "threatintel.indicator.type": "file", @@ -150,8 +150,8 @@ "log.offset": 1234, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "213.252.244.38", "threatintel.indicator.type": "ipv4-addr" @@ -167,8 +167,8 @@ "log.offset": 1339, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "c758ec922b173820374e552c2f015ac53cc5d9f99cc92080e608652aaa63695b", "threatintel.indicator.type": "file" @@ -184,8 +184,8 @@ "log.offset": 1505, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6", "threatintel.indicator.type": "file" @@ -201,8 +201,8 @@ "log.offset": 1671, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "aeb08b0651bc8a13dcf5e5f6c0d482f8", "threatintel.indicator.type": "file", @@ -219,8 +219,8 @@ "log.offset": 1871, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "6df5e1a017dff52020c7ff6ad92fdd37494e31769e1be242f6b23d1ea2d60140", "threatintel.indicator.type": "file" @@ -236,8 +236,8 @@ "log.offset": 2037, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "c72fef3835f65cb380f6920b22c3488554d1af6d298562ccee92284f265c9619", "threatintel.indicator.type": "file" @@ -253,8 +253,8 @@ "log.offset": 2203, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "e711fcd0f182b214c6ec74011a395f4c853068d59eb7c57f90c4a3e1de64434a", "threatintel.indicator.type": "file" @@ -270,8 +270,8 @@ "log.offset": 2369, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e", "threatintel.indicator.type": "file" @@ -287,8 +287,8 @@ "log.offset": 2536, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "70447996722e5c04514d20b7a429d162b46546002fb0c87f512b40f16bac99bb", "threatintel.indicator.type": "file" @@ -304,8 +304,8 @@ "log.offset": 2703, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "29340643ca2e6677c19e1d3bf351d654", "threatintel.indicator.type": "file", @@ -323,8 +323,8 @@ "log.offset": 2919, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "86c314bc2dc37ba84f7364acd5108c2b", "threatintel.indicator.type": "file", @@ -342,8 +342,8 @@ "log.offset": 3135, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "cb0c1248d3899358a375888bb4e8f3fe", "threatintel.indicator.type": "file", @@ -361,8 +361,8 @@ "log.offset": 3355, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "d348f536e214a47655af387408b4fca5", "threatintel.indicator.type": "file", @@ -380,8 +380,8 @@ "log.offset": 3571, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "29ff1903832827e328ad9ec05fdf268eadd6db8b613597cf65f8740c211be413", "threatintel.indicator.type": "file", @@ -398,8 +398,8 @@ "log.offset": 3764, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222", "threatintel.indicator.type": "file" @@ -415,8 +415,8 @@ "log.offset": 3931, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "e4db5405ac7ab517d43722e1ca8d653ea4a32802bc8a5410d032275eedc7b7ee", "threatintel.indicator.type": "file" @@ -432,8 +432,8 @@ "log.offset": 4098, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "465e7c1e36899284da5c4425dfd687af2496f397fe60c85ea2b4d85dff5a08aa", "threatintel.indicator.type": "file", @@ -450,8 +450,8 @@ "log.offset": 4303, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "5051906d6ed1b2ae9c9a9f070ef73c9be8f591d2e41d144649a0dc96e28d0400", "threatintel.indicator.type": "file" @@ -467,8 +467,8 @@ "log.offset": 4470, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "14b74cb9be8cad8eb5fa8842d00bb692", "threatintel.indicator.type": "file", @@ -486,8 +486,8 @@ "log.offset": 4709, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "a5b59f7d133e354dfc73f40517aab730f322f0ef", "threatintel.indicator.type": "file", @@ -505,8 +505,8 @@ "log.offset": 4958, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b", "threatintel.indicator.type": "file" @@ -522,8 +522,8 @@ "log.offset": 5125, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "ff2dcea4963e060a658f4dffbb119529", "threatintel.indicator.type": "file", @@ -541,8 +541,8 @@ "log.offset": 5352, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "0d73f1a1c4b2f8723fffc83eb3d00f31", "threatintel.indicator.type": "file", @@ -560,8 +560,8 @@ "log.offset": 5579, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "185.25.50.167", "threatintel.indicator.type": "ipv4-addr" @@ -577,8 +577,8 @@ "log.offset": 5684, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "d35a30264c0698709ad554489004e0077e263d354ced0c54552a0b500f91ecc0", "threatintel.indicator.type": "file" @@ -594,8 +594,8 @@ "log.offset": 5851, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "5264b455f453820be629a324196131492ff03c80491e823ac06657c9387250dd", "threatintel.indicator.type": "file" @@ -611,8 +611,8 @@ "log.offset": 6018, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56", "threatintel.indicator.type": "file", @@ -629,8 +629,8 @@ "log.offset": 6204, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4", "threatintel.indicator.type": "file", @@ -647,8 +647,8 @@ "log.offset": 6386, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8", "threatintel.indicator.type": "file" @@ -664,8 +664,8 @@ "log.offset": 6553, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec", "threatintel.indicator.type": "file", @@ -682,8 +682,8 @@ "log.offset": 6735, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2", "threatintel.indicator.type": "file", @@ -700,8 +700,8 @@ "log.offset": 6917, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e", "threatintel.indicator.type": "file" @@ -717,8 +717,8 @@ "log.offset": 7084, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "ad20c6fac565f901c82a21b70f9739037eb54818", "threatintel.indicator.type": "file", @@ -736,8 +736,8 @@ "log.offset": 7310, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "13f11e273f9a4a56557f03821c3bfd591cca6ebc", "threatintel.indicator.type": "file", @@ -755,8 +755,8 @@ "log.offset": 7536, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "1581fe76e3c96dc33182daafd09c8cf5c17004e0", "threatintel.indicator.type": "file", @@ -774,8 +774,8 @@ "log.offset": 7762, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "b72e75e9e901a44b655a5cf89cf0eadcaff46037", "threatintel.indicator.type": "file", @@ -793,8 +793,8 @@ "log.offset": 7992, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "maper.info", "threatintel.indicator.type": "domain-name" @@ -810,8 +810,8 @@ "log.offset": 8096, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "213.252.244.126", "threatintel.indicator.type": "ipv4-addr" @@ -827,8 +827,8 @@ "log.offset": 8203, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "78.129.139.131", "threatintel.indicator.type": "ipv4-addr" @@ -844,8 +844,8 @@ "log.offset": 8309, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "9af8a93519d22ed04ffb9ccf6861c9df1b77dc5d22e0aeaff4a582dbf8660ba6", "threatintel.indicator.type": "file", @@ -862,8 +862,8 @@ "log.offset": 8498, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "be9fb556a3c7aef0329e768d7f903e7dd42a821abc663e11fb637ce33b007087", "threatintel.indicator.type": "file", @@ -880,8 +880,8 @@ "log.offset": 8687, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "3bfec096c4837d1e6485fe0ae0ea6f1c0b44edc611d4f2204cc9cf73c985cbc2", "threatintel.indicator.type": "file", @@ -898,8 +898,8 @@ "log.offset": 8876, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "dff2e39b2e008ea89a3d6b36dcd9b8c927fb501d60c1ad5a52ed1ffe225da2e2", "threatintel.indicator.type": "file", @@ -916,8 +916,8 @@ "log.offset": 9065, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "6b4d271a48d118843aee3dee4481fa2930732ed7075db3241a8991418f00d92b", "threatintel.indicator.type": "file", @@ -934,8 +934,8 @@ "log.offset": 9254, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "26de4265303491bed1424d85b263481ac153c2b3513f9ee48ffb42c12312ac43", "threatintel.indicator.type": "file", @@ -952,8 +952,8 @@ "log.offset": 9443, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "02f54da6c6f2f87ff7b713d46e058dedac1cedabd693643bb7f6dfe994b2105d", "threatintel.indicator.type": "file", @@ -970,8 +970,8 @@ "log.offset": 9632, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "103.13.67.4", "threatintel.indicator.type": "ipv4-addr" @@ -987,8 +987,8 @@ "log.offset": 9735, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "80.90.87.201", "threatintel.indicator.type": "ipv4-addr" @@ -1004,8 +1004,8 @@ "log.offset": 9839, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "80.80.163.182", "threatintel.indicator.type": "ipv4-addr" @@ -1021,8 +1021,8 @@ "log.offset": 9944, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "91.187.114.210", "threatintel.indicator.type": "ipv4-addr" @@ -1038,8 +1038,8 @@ "log.offset": 10050, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "170.238.117.187", "threatintel.indicator.type": "ipv4-addr" @@ -1055,8 +1055,8 @@ "log.offset": 10157, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha256": "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d", "threatintel.indicator.type": "file" @@ -1072,8 +1072,8 @@ "log.offset": 10324, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "103.84.238.3", "threatintel.indicator.type": "ipv4-addr" @@ -1089,8 +1089,8 @@ "log.offset": 10428, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "179.43.158.171", "threatintel.indicator.type": "ipv4-addr" @@ -1106,8 +1106,8 @@ "log.offset": 10534, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "198.211.116.199", "threatintel.indicator.type": "ipv4-addr" @@ -1123,8 +1123,8 @@ "log.offset": 10641, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "203.176.135.102", "threatintel.indicator.type": "ipv4-addr", @@ -1141,8 +1141,8 @@ "log.offset": 10754, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "fotmailz.com", "threatintel.indicator.type": "domain-name" @@ -1158,8 +1158,8 @@ "log.offset": 10860, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "pori89g5jqo3v8.com", "threatintel.indicator.type": "domain-name" @@ -1175,8 +1175,8 @@ "log.offset": 10972, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "sebco.co.ke", "threatintel.indicator.type": "domain-name" @@ -1192,8 +1192,8 @@ "log.offset": 11077, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "177.74.232.124", "threatintel.indicator.type": "ipv4-addr", @@ -1210,8 +1210,8 @@ "log.offset": 11189, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "chishir.com", "threatintel.indicator.type": "domain-name" @@ -1227,8 +1227,8 @@ "log.offset": 11294, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "kostunivo.com", "threatintel.indicator.type": "domain-name" @@ -1244,8 +1244,8 @@ "log.offset": 11401, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "mangoclone.com", "threatintel.indicator.type": "domain-name" @@ -1261,8 +1261,8 @@ "log.offset": 11509, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.domain": "onixcellent.com", "threatintel.indicator.type": "domain-name" @@ -1278,8 +1278,8 @@ "log.offset": 11618, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "fc0efd612ad528795472e99cae5944b68b8e26dc", "threatintel.indicator.type": "file", @@ -1296,8 +1296,8 @@ "log.offset": 11774, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "24d4bbc982a6a561f0426a683b9617de1a96a74a", "threatintel.indicator.type": "file", @@ -1314,8 +1314,8 @@ "log.offset": 11936, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "fa98074dc18ad7e2d357b5d168c00a91256d87d1", "threatintel.indicator.type": "file", @@ -1332,8 +1332,8 @@ "log.offset": 12092, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.sha1": "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a", "threatintel.indicator.type": "file", @@ -1350,8 +1350,8 @@ "log.offset": 12248, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "96.9.77.142", "threatintel.indicator.type": "ipv4-addr", @@ -1368,8 +1368,8 @@ "log.offset": 12357, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "36.89.106.69", "threatintel.indicator.type": "ipv4-addr" @@ -1385,8 +1385,8 @@ "log.offset": 12461, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.ip": "96.9.73.73", "threatintel.indicator.type": "ipv4-addr" @@ -1402,8 +1402,8 @@ "log.offset": 12563, "service.type": "threatintel", "tags": [ - "threatintel-otx", - "forwarded" + "forwarded", + "threatintel-otx" ], "threatintel.indicator.file.hash.md5": "10ec3571596c30b9993b89f12d29d23c", "threatintel.indicator.type": "file", diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index b137d676da9..8088cef76c6 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -44,8 +44,8 @@ "10.251.224.219" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.com", "url.query": "amremap", @@ -76,9 +76,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", "mail.example.com", - "www5.example.net", - "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev" + "www5.example.net" ], "related.ip": [ "10.196.153.12" @@ -105,8 +105,8 @@ "10.196.153.12" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.net", "url.query": "uii", @@ -137,10 +137,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www.example.com", "internal.example.com", "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", "ctetur5806.api.home" +======= + "ctetur5806.api.home", + "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "internal.example.com", + "www.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.156.194.38" @@ -169,8 +176,8 @@ "10.156.194.38" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.com", "url.query": "aer", @@ -231,8 +238,8 @@ "10.196.118.192" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.org", "url.query": "con", @@ -264,9 +271,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "internal.example.net", + "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", "internal.example.com", - "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn" + "internal.example.net" ], "related.ip": [ "10.246.209.145" @@ -293,8 +300,8 @@ "10.246.209.145" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.com", "url.query": "eos", @@ -326,8 +333,12 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", "internal.example.com", +<<<<<<< HEAD "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "www5.example.org" ], "related.ip": [ @@ -355,8 +366,8 @@ "10.114.191.225" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.com", "url.query": "occ", @@ -391,8 +402,14 @@ "related.hosts": [ "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", "api.example.com", +<<<<<<< HEAD "www5.example.net", "erep2696.www.home" +======= + "erep2696.www.home", + "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "www5.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.38.77.13" @@ -421,8 +438,8 @@ "10.38.77.13" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.net", "url.query": "ipis", @@ -455,10 +472,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www.example.org", "mail.example.org", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", - "mUt2398.invalid" + "mUt2398.invalid", + "mail.example.org", + "www.example.org" ], "related.ip": [ "10.11.201.109" @@ -487,8 +509,8 @@ "10.11.201.109" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "deomni", @@ -522,6 +544,10 @@ "related.hosts": [ "example.org", "api.example.org", +<<<<<<< HEAD +======= + "example.org", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan" ], "related.ip": [ @@ -549,8 +575,8 @@ "10.182.166.181" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.org", "url.query": "ollit", @@ -611,8 +637,8 @@ "10.185.126.247" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.net", "url.query": "smo", @@ -643,9 +669,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.net", "example.com", "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", +======= + "example.com", + "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "mail.example.net", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "siuta2896.www.localhost" ], "related.ip": [ @@ -675,8 +707,8 @@ "10.72.114.23" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.com", "url.query": "strude", @@ -708,9 +740,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", "internal.example.net", "example.net", +======= + "example.net", + "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "internal.example.net", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "oin6316.www5.host" ], "related.ip": [ @@ -740,8 +778,8 @@ "10.129.241.147" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "luptat", @@ -773,10 +811,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "www5.example.com", - "internal.example.net", "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", - "tionemu7691.www.local" + "internal.example.net", + "tionemu7691.www.local", + "www5.example.com" ], "related.ip": [ "10.185.101.76" @@ -805,8 +843,8 @@ "10.185.101.76" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.com", "url.query": "colabor", @@ -839,8 +877,8 @@ "observer.vendor": "Apache", "related.hosts": [ "example.net", - "www.example.org", - "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati" + "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "www.example.org" ], "related.ip": [ "10.57.170.140" @@ -867,8 +905,8 @@ "10.57.170.140" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "giatquov", @@ -900,8 +938,13 @@ "observer.vendor": "Apache", "related.hosts": [ "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", +<<<<<<< HEAD "internal.example.net", "internal.example.com" +======= + "internal.example.com", + "internal.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.33.153.47" @@ -928,8 +971,8 @@ "10.33.153.47" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.com", "url.query": "emeumfu", @@ -962,9 +1005,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "internal.example.net", + "conse2991.internal.lan", "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", - "conse2991.internal.lan" + "internal.example.net" ], "related.ip": [ "10.116.104.101" @@ -993,8 +1036,8 @@ "10.116.104.101" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.net", "url.query": "iades", @@ -1026,9 +1069,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", "internal.example.com", "example.com" +======= + "example.com", + "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "internal.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.202.194.67" @@ -1055,8 +1104,8 @@ "10.202.194.67" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.com", "url.query": "nsectet", @@ -1089,10 +1138,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "www5.example.com", - "www.example.com", "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", - "wri2784.api.domain" + "wri2784.api.domain", + "www.example.com", + "www5.example.com" ], "related.ip": [ "10.153.111.103" @@ -1121,8 +1170,8 @@ "10.153.111.103" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.com", "url.query": "occae", @@ -1183,8 +1232,8 @@ "10.52.186.29" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.org", "url.query": "tmo", @@ -1219,8 +1268,14 @@ "related.hosts": [ "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", "example.net", +<<<<<<< HEAD "www.example.org", "oquisqu2937.mail.domain" +======= + "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "oquisqu2937.mail.domain", + "www.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.209.182.237" @@ -1249,8 +1304,8 @@ "10.209.182.237" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "eprehend", @@ -1283,10 +1338,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.net", "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", "api.example.org", "dolore1287.internal.lan" +======= + "api.example.org", + "dolore1287.internal.lan", + "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "mail.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.63.194.87" @@ -1315,8 +1377,8 @@ "10.63.194.87" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.net", "url.query": "bore", @@ -1348,9 +1410,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www5.example.org", "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", "www.example.org" +======= + "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "www.example.org", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.62.191.18" @@ -1377,8 +1445,8 @@ "10.62.191.18" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "dtemp", @@ -1412,6 +1480,10 @@ "related.hosts": [ "example.org", "example.net", +<<<<<<< HEAD +======= + "example.org", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer" ], "related.ip": [ @@ -1439,8 +1511,8 @@ "10.238.164.29" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "quidolor", @@ -1472,8 +1544,13 @@ "observer.vendor": "Apache", "related.hosts": [ "example.com", +<<<<<<< HEAD "internal.example.com", "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius" +======= + "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "internal.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.155.230.17" @@ -1500,8 +1577,8 @@ "10.155.230.17" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.com", "url.query": "tet", @@ -1534,10 +1611,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.net", "https://example.net/officiad/itam.html?madmi=tur#roi", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "example.net", - "ide2767.www5.local" + "https://example.net/officiad/itam.html?madmi=tur#roi", + "ide2767.www5.local", + "mail.example.net" ], "related.ip": [ "10.102.229.102" @@ -1566,8 +1648,8 @@ "10.102.229.102" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "orem", @@ -1600,9 +1682,15 @@ "observer.vendor": "Apache", "related.hosts": [ "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", +<<<<<<< HEAD "www5.example.org", "mail.example.org", "sBon1759.invalid" +======= + "mail.example.org", + "sBon1759.invalid", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.194.14.7" @@ -1631,8 +1719,8 @@ "10.194.14.7" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.org", "url.query": "ios", @@ -1693,8 +1781,8 @@ "10.99.0.226" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.net", "url.query": "ema", @@ -1726,9 +1814,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", "www.example.net", "api.example.org" +======= + "api.example.org", + "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "www.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.107.174.213" @@ -1755,8 +1849,8 @@ "10.107.174.213" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.net", "url.query": "ctet", @@ -1789,10 +1883,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.org", "www.example.org", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", - "idunt4707.host" + "idunt4707.host", + "mail.example.org", + "www.example.org" ], "related.ip": [ "10.84.25.23" @@ -1821,8 +1920,8 @@ "10.84.25.23" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.org", "url.query": "borios", @@ -1854,9 +1953,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www.example.org", "api.example.com", "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab" +======= + "api.example.com", + "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "www.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.193.143.108" @@ -1883,8 +1988,8 @@ "10.193.143.108" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "ofdeFin", @@ -1917,10 +2022,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.com/mexe/its.htm?ice=oles#edic", + "emquia1497.www5.lan", "example.com", "example.org", - "emquia1497.www5.lan" + "https://example.com/mexe/its.htm?ice=oles#edic" ], "related.ip": [ "10.190.51.22" @@ -1949,8 +2054,8 @@ "10.190.51.22" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.com", "url.query": "tutlab", @@ -1982,10 +2087,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www5.example.com", "https://www.example.com/velitess/naali.htm?nre=veli#volupta", +======= + "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "riat3854.www5.home", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "www.example.com", - "riat3854.www5.home" + "www5.example.com" ], "related.ip": [ "10.194.90.130" @@ -2014,8 +2124,8 @@ "10.194.90.130" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.com", "url.query": "elitse", @@ -2072,8 +2182,8 @@ "10.10.213.83" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "uptate", @@ -2106,10 +2216,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.net", "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", "api.example.org", "aboreetd5461.host" +======= + "aboreetd5461.host", + "api.example.org", + "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "mail.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.52.125.9" @@ -2138,8 +2255,8 @@ "10.52.125.9" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.org", "url.query": "mvele", @@ -2171,9 +2288,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "api.example.net", "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", - "www5.example.org", - "api.example.net" + "www5.example.org" ], "related.ip": [ "10.19.17.202" @@ -2200,8 +2317,8 @@ "10.19.17.202" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.net", "url.query": "tincu", @@ -2234,10 +2351,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", "mail.example.org", "api.example.com", "iquidexe304.mail.test" +======= + "api.example.com", + "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "iquidexe304.mail.test", + "mail.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.195.64.5" @@ -2266,8 +2390,8 @@ "10.195.64.5" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.org", "url.query": "rsita", @@ -2300,9 +2424,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "mail.example.com", - "internal.example.com", "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "internal.example.com", + "mail.example.com", "remips4828.www5.host" ], "related.ip": [ @@ -2332,8 +2456,8 @@ "10.209.77.194" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.com", "url.query": "dat", @@ -2394,8 +2518,8 @@ "10.168.6.90" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "rer", @@ -2426,9 +2550,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.com", "api.example.org", "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu" +======= + "api.example.org", + "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "mail.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.89.137.238" @@ -2455,8 +2585,8 @@ "10.89.137.238" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.com", "url.query": "uptatemU", @@ -2489,8 +2619,8 @@ "observer.vendor": "Apache", "related.hosts": [ "example.org", - "www5.example.net", - "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat" + "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "www5.example.net" ], "related.ip": [ "10.246.61.213" @@ -2517,8 +2647,8 @@ "10.246.61.213" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.org", "url.query": "tconsec", @@ -2550,10 +2680,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www.example.org", "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", "www5.example.net", "orin5238.host" +======= + "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "orin5238.host", + "www.example.org", + "www5.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.117.44.138" @@ -2582,8 +2719,8 @@ "10.117.44.138" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "emvele", @@ -2615,9 +2752,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "www.example.net", "example.net", - "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov" + "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "www.example.net" ], "related.ip": [ "10.69.30.196" @@ -2644,8 +2781,8 @@ "10.69.30.196" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "urmag", @@ -2703,8 +2840,8 @@ "10.135.91.88" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.com", "url.query": "urExce", @@ -2737,10 +2874,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "example.net", "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", "api.example.org", "agnaaliq1829.mail.test" +======= + "agnaaliq1829.mail.test", + "api.example.org", + "example.net", + "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.81.45.174" @@ -2769,8 +2913,8 @@ "10.81.45.174" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "erun", @@ -2801,8 +2945,8 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "www.example.org", - "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae" + "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "www.example.org" ], "related.ip": [ "10.87.179.233" @@ -2829,8 +2973,8 @@ "10.87.179.233" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "uia", @@ -2864,6 +3008,10 @@ "related.hosts": [ "example.com", "api.example.net", +<<<<<<< HEAD +======= + "example.com", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir" ], "related.ip": [ @@ -2891,8 +3039,8 @@ "10.198.57.130" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.net", "url.query": "emip", @@ -2953,8 +3101,8 @@ "10.218.0.197" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.net", "url.query": "quasiar", @@ -2989,8 +3137,13 @@ "related.hosts": [ "example.com", "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", +<<<<<<< HEAD "mail.example.com", "iatqu7310.api.home" +======= + "iatqu7310.api.home", + "mail.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.123.199.198" @@ -3019,8 +3172,8 @@ "10.123.199.198" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.com", "url.query": "eratv", @@ -3056,6 +3209,7 @@ "example.org", "internal.example.net", "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "internal.example.net", "uamnihil6127.api.domain" ], "related.ip": [ @@ -3085,8 +3239,8 @@ "10.29.119.245" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.net", "url.query": "taliqui", @@ -3120,9 +3274,15 @@ "observer.vendor": "Apache", "related.hosts": [ "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", +<<<<<<< HEAD "www.example.org", "mail.example.net", "uov1629.internal.invalid" +======= + "mail.example.net", + "uov1629.internal.invalid", + "www.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.130.175.17" @@ -3151,8 +3311,8 @@ "10.130.175.17" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.net", "url.query": "atnulapa", @@ -3213,8 +3373,8 @@ "10.166.90.130" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.net", "url.query": "npr", @@ -3247,9 +3407,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "api.example.org", "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", "internal.example.org", - "api.example.org", "orumw5960.www5.home" ], "related.ip": [ @@ -3279,8 +3439,8 @@ "10.248.111.207" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.org", "url.query": "incidid", @@ -3313,8 +3473,13 @@ "observer.vendor": "Apache", "related.hosts": [ "api.example.net", +<<<<<<< HEAD "internal.example.net", "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore" +======= + "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "internal.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.185.37.32" @@ -3341,8 +3506,8 @@ "10.185.37.32" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.net", "url.query": "sinto", @@ -3374,9 +3539,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "internal.example.com", "example.org", "https://example.org/pisc/urEx.html?rautod=olest#eataev" +======= + "example.org", + "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "internal.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.5.194.202" @@ -3403,8 +3574,8 @@ "10.5.194.202" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.org", "url.query": "atem", @@ -3436,10 +3607,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "www.example.org", + "deriti6952.mail.domain", "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", - "www5.example.com", - "deriti6952.mail.domain" + "www.example.org", + "www5.example.com" ], "related.ip": [ "10.183.34.1" @@ -3468,8 +3639,8 @@ "10.183.34.1" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.com", "url.query": "piciatis", @@ -3530,8 +3701,8 @@ "10.101.163.40" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.net", "url.query": "ptatems", @@ -3567,7 +3738,12 @@ "www5.example.com", "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", "internal.example.com", +<<<<<<< HEAD "nse3421.mail.localhost" +======= + "nse3421.mail.localhost", + "www5.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.216.188.152" @@ -3596,8 +3772,8 @@ "10.216.188.152" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.com", "url.query": "iumdolo", @@ -3630,8 +3806,13 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", +<<<<<<< HEAD "www5.example.org", "mail.example.net" +======= + "mail.example.net", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.94.140.77" @@ -3658,8 +3839,8 @@ "10.94.140.77" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.org", "url.query": "lumqu", @@ -3690,8 +3871,13 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", +<<<<<<< HEAD "www.example.com", "mail.example.org" +======= + "mail.example.org", + "www.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.223.205.204" @@ -3718,8 +3904,8 @@ "10.223.205.204" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.com", "url.query": "imaveni", @@ -3752,9 +3938,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.org", "example.com", "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", +======= + "example.com", + "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "mail.example.org", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "tautfug689.localdomain" ], "related.ip": [ @@ -3784,8 +3976,8 @@ "10.85.137.156" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.org", "url.query": "itametc", @@ -3821,7 +4013,8 @@ "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", "www5.example.net", "mail.example.com", - "totam6886.api.localhost" + "totam6886.api.localhost", + "www5.example.net" ], "related.ip": [ "10.12.54.142" @@ -3850,8 +4043,8 @@ "10.12.54.142" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.com", "url.query": "riatur", @@ -3883,8 +4076,13 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "https://example.net/labori/porai.gif?utali=sed#xeac", "example.net", +======= + "example.net", + "https://example.net/labori/porai.gif?utali=sed#xeac", +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "internal.example.org" ], "related.ip": [ @@ -3912,8 +4110,8 @@ "10.158.6.52" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "lumdo", @@ -3946,9 +4144,14 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", +<<<<<<< HEAD "example.com", "www5.example.org", "tquo854.api.domain" +======= + "tquo854.api.domain", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.195.160.182" @@ -3977,8 +4180,8 @@ "10.195.160.182" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.org", "url.query": "umfugi", @@ -4011,8 +4214,13 @@ "observer.vendor": "Apache", "related.hosts": [ "example.net", +<<<<<<< HEAD "mail.example.com", "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat" +======= + "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "mail.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.20.68.117" @@ -4039,8 +4247,8 @@ "10.20.68.117" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.com", "url.query": "archi", @@ -4074,9 +4282,15 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", +<<<<<<< HEAD "www5.example.com", "www5.example.org", "venia6656.api.domain" +======= + "venia6656.api.domain", + "www5.example.com", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.94.136.235" @@ -4105,8 +4319,8 @@ "10.94.136.235" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.com", "url.query": "upta", @@ -4139,10 +4353,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", "www.example.net", "example.com", "veniam1216.www5.invalid" +======= + "example.com", + "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "veniam1216.www5.invalid", + "www.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.152.11.26" @@ -4171,8 +4392,8 @@ "10.152.11.26" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.net", "url.query": "veleumi", @@ -4202,8 +4423,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", - "www5.example.com", - "runtm5729.invalid" + "runtm5729.invalid", + "www5.example.com" ], "related.ip": [ "10.82.118.95" @@ -4232,8 +4453,8 @@ "10.82.118.95" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.com", "url.query": "Utenimad", @@ -4294,8 +4515,8 @@ "10.187.152.213" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.net", "url.query": "aqui", @@ -4328,10 +4549,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www.example.net", "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", "internal.example.net", "pta6012.www.local" +======= + "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "internal.example.net", + "pta6012.www.local", + "www.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.98.71.45" @@ -4360,8 +4588,8 @@ "10.98.71.45" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.net", "url.query": "civelits", @@ -4394,8 +4622,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", - "www5.example.org", - "www5.example.net" + "www5.example.net", + "www5.example.org" ], "related.ip": [ "10.86.123.33" @@ -4422,8 +4650,8 @@ "10.86.123.33" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.net", "url.query": "Utenima", @@ -4455,9 +4683,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www5.example.net", "api.example.net", "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi" +======= + "api.example.net", + "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "www5.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.6.112.183" @@ -4484,8 +4718,8 @@ "10.6.112.183" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.net", "url.query": "oremip", @@ -4519,9 +4753,14 @@ "observer.vendor": "Apache", "related.hosts": [ "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", +<<<<<<< HEAD "www5.example.org", "example.net", "orsi2109.internal.home" +======= + "orsi2109.internal.home", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.227.156.143" @@ -4550,8 +4789,8 @@ "10.227.156.143" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "tatevel", @@ -4580,8 +4819,8 @@ "observer.vendor": "Apache", "related.hosts": [ "example.net", - "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", "example.org", + "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", "quaeabil2539.www5.lan" ], "related.ip": [ @@ -4611,8 +4850,8 @@ "10.124.129.248" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.org", "url.query": "hilmole", @@ -4644,10 +4883,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www5.example.net", "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", "www5.example.org", "aal1598.mail.host" +======= + "aal1598.mail.host", + "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "www5.example.net", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.173.125.112" @@ -4676,8 +4922,8 @@ "10.173.125.112" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.org", "url.query": "itaedict", @@ -4738,8 +4984,8 @@ "10.37.156.140" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "iss", @@ -4769,9 +5015,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www5.example.org", "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", "example.com" +======= + "example.com", + "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.121.225.135" @@ -4798,8 +5050,8 @@ "10.121.225.135" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.com", "url.query": "miurere", @@ -4830,9 +5082,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www.example.org", "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", "mail.example.net" +======= + "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "mail.example.net", + "www.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.123.68.56" @@ -4859,8 +5117,8 @@ "10.123.68.56" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "itautfu", @@ -4893,9 +5151,13 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.net", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "api.example.net", "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "mail.example.net", "oid218.api.invalid" ], "related.ip": [ @@ -4925,8 +5187,8 @@ "10.63.56.164" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.net", "url.query": "temseq", @@ -4991,8 +5253,8 @@ "10.62.10.137" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "ttenb", @@ -5024,9 +5286,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", "api.example.net", "example.org", + "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", "sequatD4487.internal.localhost" ], "related.ip": [ @@ -5056,8 +5318,8 @@ "10.89.154.115" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.org", "url.query": "citation", @@ -5089,8 +5351,13 @@ "observer.vendor": "Apache", "related.hosts": [ "api.example.org", +<<<<<<< HEAD "www5.example.com", "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus" +======= + "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "www5.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.122.252.130" @@ -5117,8 +5384,8 @@ "10.122.252.130" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www5.example.com", "url.query": "luptasnu", @@ -5150,8 +5417,12 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "api.example.com", "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", +<<<<<<< HEAD "api.example.com", +======= +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) "www.example.net" ], "related.ip": [ @@ -5179,8 +5450,8 @@ "10.195.152.53" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.com", "url.query": "olupta", @@ -5209,8 +5480,8 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "mail.example.com", "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "mail.example.com", "nul5107.www5.domain" ], "related.ip": [ @@ -5240,8 +5511,8 @@ "10.9.255.204" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.com", "url.query": "urEx", @@ -5274,10 +5545,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "internal.example.net", "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", - "www.example.org", - "nimadmin5630.localdomain" + "internal.example.net", + "nimadmin5630.localdomain", + "www.example.org" ], "related.ip": [ "10.214.235.133" @@ -5306,8 +5577,8 @@ "10.214.235.133" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "cillumdo", @@ -5340,9 +5611,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", - "api.example.org", "api.example.com", + "api.example.org", + "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", "sequuntu3563.internal.test" ], "related.ip": [ @@ -5372,8 +5643,8 @@ "10.5.134.204" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.com", "url.query": "eumfu", @@ -5405,9 +5676,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "https://example.org/rep/mveni.txt?utpers=num#ctetura", "internal.example.com", "example.org" +======= + "example.org", + "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "internal.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.144.111.42" @@ -5434,8 +5711,8 @@ "10.144.111.42" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.org", "url.query": "tDuisau", @@ -5495,8 +5772,8 @@ "10.122.0.80" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.net", "url.query": "antium", @@ -5528,10 +5805,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.com", "www.example.net", "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", "tdolo2150.www.example" +======= + "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "mail.example.com", + "tdolo2150.www.example", + "www.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.165.33.19" @@ -5560,8 +5844,8 @@ "10.165.33.19" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.com", "url.query": "namaliqu", @@ -5594,10 +5878,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.org", "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", "internal.example.org", "cinge6032.api.local" +======= + "cinge6032.api.local", + "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "internal.example.org", + "mail.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.87.92.17" @@ -5626,8 +5917,8 @@ "10.87.92.17" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.org", "url.query": "ctionofd", @@ -5659,9 +5950,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "internal.example.org", + "example.com", "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", - "example.com" + "internal.example.org" ], "related.ip": [ "10.51.52.203" @@ -5688,8 +5979,8 @@ "10.51.52.203" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.com", "url.query": "arch", @@ -5721,9 +6012,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "internal.example.net", "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", "ende6053.local" +======= + "ende6053.local", + "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "internal.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.0.211.86" @@ -5752,8 +6049,8 @@ "10.0.211.86" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.net", "url.query": "ursintoc", @@ -5785,9 +6082,15 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "mail.example.net", "example.net", "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet" +======= + "example.net", + "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "mail.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.106.34.244" @@ -5814,8 +6117,8 @@ "10.106.34.244" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "mail.example.net", "url.query": "ssequamn", @@ -5848,8 +6151,13 @@ "observer.vendor": "Apache", "related.hosts": [ "example.net", +<<<<<<< HEAD "www.example.org", "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu" +======= + "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "www.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.191.210.188" @@ -5876,8 +6184,8 @@ "10.191.210.188" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "abill", @@ -5938,8 +6246,8 @@ "10.2.38.49" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.com", "url.query": "Duis", @@ -5968,10 +6276,16 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "didun1193.example", "example.com", +<<<<<<< HEAD "mail.example.com", "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", "didun1193.example" +======= + "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "mail.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.66.92.90" @@ -6000,8 +6314,8 @@ "10.66.92.90" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.com", "url.query": "tlab", @@ -6033,10 +6347,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "example.com", "mail.example.com", "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", "apari2660.www5.lan" +======= + "apari2660.www5.lan", + "example.com", + "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "mail.example.com" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.97.108.108" @@ -6065,8 +6386,8 @@ "10.97.108.108" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "example.com", "url.query": "olor", @@ -6100,8 +6421,13 @@ "related.hosts": [ "api.example.net", "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", +<<<<<<< HEAD "www5.example.org", "nvolupta238.www.host" +======= + "nvolupta238.www.host", + "www5.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.147.147.248" @@ -6130,8 +6456,8 @@ "10.147.147.248" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "api.example.net", "url.query": "aborio", @@ -6167,7 +6493,12 @@ "www.example.org", "api.example.com", "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", +<<<<<<< HEAD "icer123.mail.example" +======= + "icer123.mail.example", + "www.example.org" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.152.190.61" @@ -6196,8 +6527,8 @@ "10.152.190.61" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.org", "url.query": "atione", @@ -6230,10 +6561,17 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ +<<<<<<< HEAD "www.example.net", "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", "api.example.org", "lumqui6488.api.example" +======= + "api.example.org", + "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "lumqui6488.api.example", + "www.example.net" +>>>>>>> 52f226530d... [Filebeat] Sort array fields in generated data (#25320) ], "related.ip": [ "10.129.232.105" @@ -6262,8 +6600,8 @@ "10.129.232.105" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "www.example.net", "url.query": "eturadi", @@ -6324,8 +6662,8 @@ "10.12.173.112" ], "tags": [ - "tomcat.log", - "forwarded" + "forwarded", + "tomcat.log" ], "url.domain": "internal.example.org", "url.query": "nidol", diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 8bb59328a53..088aee7aedf 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -16,8 +16,8 @@ "event.module": "zeek", "event.type": [ "connection", - "start", - "end" + "end", + "start" ], "fileset.name": "connection", "input.type": "log", @@ -29,8 +29,8 @@ "network.protocol": "dns", "network.transport": "udp", "related.ip": [ - "192.168.86.167", - "192.168.86.1" + "192.168.86.1", + "192.168.86.167" ], "service.type": "zeek", "source.address": "192.168.86.167", @@ -39,9 +39,9 @@ "source.packets": 1, "source.port": 38339, "tags": [ - "zeek.connection", "local_orig", - "local_resp" + "local_resp", + "zeek.connection" ], "zeek.connection.history": "Dd", "zeek.connection.local_orig": true, @@ -75,8 +75,8 @@ "event.module": "zeek", "event.type": [ "connection", - "start", - "end" + "end", + "start" ], "fileset.name": "connection", "input.type": "log", @@ -98,8 +98,8 @@ "source.packets": 1, "source.port": 38340, "tags": [ - "zeek.connection", - "local_orig" + "local_orig", + "zeek.connection" ], "zeek.connection.history": "Dd", "zeek.connection.local_orig": true, @@ -133,8 +133,8 @@ "event.module": "zeek", "event.type": [ "connection", - "start", - "end" + "end", + "start" ], "fileset.name": "connection", "input.type": "log", diff --git a/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json b/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json index 6128801caa7..822fd214a51 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json @@ -14,8 +14,8 @@ "event.module": "zeek", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "dce_rpc", "input.type": "log", @@ -24,8 +24,8 @@ "network.protocol": "dce_rpc", "network.transport": "tcp", "related.ip": [ - "172.16.133.6", - "172.16.128.202" + "172.16.128.202", + "172.16.133.6" ], "service.type": "zeek", "source.address": "172.16.133.6", diff --git a/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json b/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json index ec36a36c503..b10a71fdd77 100644 --- a/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json @@ -14,8 +14,8 @@ "event.module": "zeek", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "dhcp", "input.type": "log", @@ -47,12 +47,12 @@ "zeek.dhcp.hostname": "DESKTOP-2AEFM7G", "zeek.dhcp.lease_time": 1800, "zeek.dhcp.msg.types": [ - "REQUEST", - "ACK" + "ACK", + "REQUEST" ], "zeek.session_id": [ - "CmWOt6VWaNGqXYcH6", - "CLObLo4YHn0u23Tp8a" + "CLObLo4YHn0u23Tp8a", + "CmWOt6VWaNGqXYcH6" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json index c9397cc7b9f..bb22f51cf06 100644 --- a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json @@ -14,8 +14,8 @@ "event.module": "zeek", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "dnp3", "input.type": "log", diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json index 5be6888c0c9..03d8f10a3ac 100644 --- a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json @@ -6,21 +6,21 @@ "destination.port": 53, "dns.answers": [ { - "data": "proxy-production-us-west1.gcp.cloud.es.io", - "ttl": 119 + "data": "35.199.178.4", + "ttl": 59 }, { "data": "proxy-production-us-west1-v1-009.gcp.cloud.es.io", "ttl": 119 }, { - "data": "35.199.178.4", - "ttl": 59 + "data": "proxy-production-us-west1.gcp.cloud.es.io", + "ttl": 119 } ], "dns.header_flags": [ - "RD", - "RA" + "RA", + "RD" ], "dns.id": "15209", "dns.question.class": "IN", @@ -55,8 +55,8 @@ "network.community_id": "1:Z26DBGVYoBKQ1FT6qfPaAqBnJik=", "network.transport": "udp", "related.ip": [ - "192.168.86.167", - "192.168.86.1" + "192.168.86.1", + "192.168.86.167" ], "service.type": "zeek", "source.address": "192.168.86.167", @@ -75,9 +75,9 @@ 59 ], "zeek.dns.answers": [ - "proxy-production-us-west1.gcp.cloud.es.io", + "35.199.178.4", "proxy-production-us-west1-v1-009.gcp.cloud.es.io", - "35.199.178.4" + "proxy-production-us-west1.gcp.cloud.es.io" ], "zeek.dns.qclass": 1, "zeek.dns.qclass_name": "C_INTERNET", diff --git a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json index 0d6173e172e..e36fc1dcbc2 100644 --- a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json @@ -21,8 +21,8 @@ "network.community_id": "1:b+Szw+ia464igf5e+MwW1WUzw9Y=", "network.transport": "tcp", "related.ip": [ - "192.168.10.31", - "192.168.10.10" + "192.168.10.10", + "192.168.10.31" ], "service.type": "zeek", "source.address": "192.168.10.31", diff --git a/x-pack/filebeat/module/zeek/files/test/files-json.log-expected.json b/x-pack/filebeat/module/zeek/files/test/files-json.log-expected.json index 6fc38a5d22a..0a11d5a33dd 100644 --- a/x-pack/filebeat/module/zeek/files/test/files-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/files/test/files-json.log-expected.json @@ -23,8 +23,8 @@ "a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436" ], "related.ip": [ - "35.199.178.4", - "10.178.98.102" + "10.178.98.102", + "35.199.178.4" ], "server.ip": "35.199.178.4", "service.type": "zeek", @@ -32,9 +32,9 @@ "zeek.files" ], "zeek.files.analyzers": [ - "X509", "MD5", - "SHA1" + "SHA1", + "X509" ], "zeek.files.depth": 0, "zeek.files.duration": 0, @@ -76,12 +76,12 @@ "input.type": "log", "log.offset": 452, "related.hash": [ - "b9742f12eb97eff531d94f7800c6706c", - "b88d13fe319d342e7a808ce3a0a1158111fc3c2a" + "b88d13fe319d342e7a808ce3a0a1158111fc3c2a", + "b9742f12eb97eff531d94f7800c6706c" ], "related.ip": [ - "17.134.127.250", - "10.178.98.102" + "10.178.98.102", + "17.134.127.250" ], "server.ip": "17.134.127.250", "service.type": "zeek", @@ -89,9 +89,9 @@ "zeek.files" ], "zeek.files.analyzers": [ - "X509", "MD5", - "SHA1" + "SHA1", + "X509" ], "zeek.files.depth": 0, "zeek.files.duration": 0, diff --git a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json index 06d833b6a42..0c495c74bd5 100644 --- a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json @@ -21,8 +21,8 @@ "event.module": "zeek", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "irc", "input.type": "log", @@ -68,8 +68,8 @@ "event.module": "zeek", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "irc", "input.type": "log", @@ -120,8 +120,8 @@ "event.module": "zeek", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "irc", "input.type": "log", diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json index 686322c4057..43862a49170 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json @@ -15,9 +15,9 @@ "event.module": "zeek", "event.outcome": "success", "event.type": [ + "authentication", "connection", - "protocol", - "authentication" + "protocol" ], "fileset.name": "kerberos", "input.type": "log", @@ -26,8 +26,8 @@ "network.protocol": "kerberos", "network.transport": "tcp", "related.ip": [ - "192.168.10.31", - "192.168.10.10" + "192.168.10.10", + "192.168.10.31" ], "related.user": [ "RonHD" diff --git a/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json b/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json index bf68cae48fe..676080e9d3e 100644 --- a/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json @@ -16,8 +16,8 @@ "event.outcome": "success", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "mysql", "input.type": "log", diff --git a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json index 90bb5e3145e..8fa5ffbaf48 100644 --- a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json @@ -8,8 +8,8 @@ "event.kind": "alert", "event.module": "zeek", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "notice", "input.type": "log", @@ -53,15 +53,15 @@ "event.kind": "alert", "event.module": "zeek", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "notice", "input.type": "log", "log.offset": 357, "related.ip": [ - "8.42.77.171", - "207.154.238.205" + "207.154.238.205", + "8.42.77.171" ], "rule.description": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s", "rule.name": "Scan::Port_Scan", diff --git a/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json b/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json index c85d3127476..d6f6099290c 100644 --- a/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json @@ -13,8 +13,8 @@ "event.kind": "event", "event.module": "zeek", "event.type": [ - "info", - "connection" + "connection", + "info" ], "fileset.name": "ntlm", "input.type": "log", @@ -23,8 +23,8 @@ "network.protocol": "ntlm", "network.transport": "tcp", "related.ip": [ - "192.168.10.50", - "192.168.10.31" + "192.168.10.31", + "192.168.10.50" ], "related.user": [ "JeffV" diff --git a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json index 940f548b1b7..0d9f847e271 100644 --- a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json @@ -20,8 +20,8 @@ "event.original": "{\"ts\":1602116947.977,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1,\"precision\":1,\"root_delay\":0,\"root_disp\":0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0,\"org_time\":0,\"rec_time\":0,\"xmt_time\":1602116947.215,\"num_exts\":0}", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "ntp", "input.type": "log", @@ -82,8 +82,8 @@ "event.original": "{\"ts\":1602116948.081,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":4,\"stratum\":2,\"poll\":8,\"precision\":5.960464477539063e-8,\"root_delay\":0.00921630859375,\"root_disp\":0.0212249755859375,\"ref_id\":\"127.67.113.92\",\"ref_time\":1602116655.942,\"org_time\":1602116947.215,\"rec_time\":1602116947.964,\"xmt_time\":1602116947.964,\"num_exts\":0}", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "ntp", "input.type": "log", diff --git a/x-pack/filebeat/module/zeek/pe/test/pe-json.log-expected.json b/x-pack/filebeat/module/zeek/pe/test/pe-json.log-expected.json index 3356f0ef793..b3c023b705c 100644 --- a/x-pack/filebeat/module/zeek/pe/test/pe-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/pe/test/pe-json.log-expected.json @@ -28,11 +28,11 @@ "zeek.pe.machine": "I386", "zeek.pe.os": "Windows XP", "zeek.pe.section_names": [ - ".text", - ".rdata", ".data", + ".rdata", + ".reloc", ".rsrc", - ".reloc" + ".text" ], "zeek.pe.subsystem": "WINDOWS_CUI", "zeek.pe.uses_aslr": true, diff --git a/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json b/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json index 894b85f435f..bd8ab187529 100644 --- a/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json @@ -14,8 +14,8 @@ "event.module": "zeek", "event.outcome": "success", "event.type": [ - "info", - "connection" + "connection", + "info" ], "fileset.name": "radius", "input.type": "log", diff --git a/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json b/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json index 878eb3e2050..1d2763f149b 100644 --- a/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json @@ -12,8 +12,8 @@ "event.kind": "event", "event.module": "zeek", "event.type": [ - "protocol", - "info" + "info", + "protocol" ], "fileset.name": "rdp", "input.type": "log", diff --git a/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json b/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json index 83b5544b655..822336f5ea8 100644 --- a/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json @@ -22,8 +22,8 @@ "network.protocol": "rfb", "network.transport": "tcp", "related.ip": [ - "192.168.1.123", - "192.168.1.10" + "192.168.1.10", + "192.168.1.123" ], "service.type": "zeek", "source.address": "192.168.1.123", diff --git a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json index a9e15731ebc..55c08baec97 100644 --- a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json @@ -22,8 +22,8 @@ "event.outcome": "failure", "event.type": [ "connection", - "protocol", - "error" + "error", + "protocol" ], "fileset.name": "sip", "input.type": "log", @@ -103,8 +103,8 @@ "network.protocol": "sip", "network.transport": "udp", "related.ip": [ - "200.57.7.204", - "200.57.7.195" + "200.57.7.195", + "200.57.7.204" ], "service.type": "zeek", "source.address": "200.57.7.204", @@ -141,8 +141,8 @@ "zeek.sip.response.from": "", "zeek.sip.response.path": [ "SIP/2.0/UDP 200.57.7.195", - "SIP/2.0/UDP 200.57.7.195:55061", "SIP/2.0/UDP 200.57.7.195", + "SIP/2.0/UDP 200.57.7.195:55061", "SIP/2.0/UDP 200.57.7.195:55061" ], "zeek.sip.response.to": "\"francisco@bestel.com\" ;tag=298852044", @@ -188,8 +188,8 @@ "network.protocol": "sip", "network.transport": "udp", "related.ip": [ - "200.57.7.205", - "200.57.7.195" + "200.57.7.195", + "200.57.7.205" ], "service.type": "zeek", "source.address": "200.57.7.205", diff --git a/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json b/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json index e18caef3fd2..dea6f2dda60 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json @@ -24,8 +24,8 @@ "network.protocol": "smb", "network.transport": "tcp", "related.ip": [ - "172.16.133.6", - "172.16.128.202" + "172.16.128.202", + "172.16.133.6" ], "service.type": "zeek", "source.address": "172.16.133.6", diff --git a/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json b/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json index c7d5ab98b78..aba4c5e6489 100644 --- a/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json @@ -6,8 +6,8 @@ "destination.port": 445, "event.action": "SMB::FILE_OPEN", "event.category": [ - "network", - "file" + "file", + "network" ], "event.dataset": "zeek.smb_files", "event.id": "C9YAaEzWLL62yWMn5", @@ -15,8 +15,8 @@ "event.module": "zeek", "event.type": [ "connection", - "protocol", - "info" + "info", + "protocol" ], "file.accessed": "2017-10-09T16:13:19.607Z", "file.created": "2017-10-09T16:13:19.607Z", @@ -32,8 +32,8 @@ "network.protocol": "smb", "network.transport": "tcp", "related.ip": [ - "192.168.10.31", - "192.168.10.30" + "192.168.10.30", + "192.168.10.31" ], "service.type": "zeek", "source.address": "192.168.10.31", diff --git a/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json b/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json index 71efd1e51ac..95bb44ae35b 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json @@ -22,8 +22,8 @@ "network.protocol": "smb", "network.transport": "tcp", "related.ip": [ - "192.168.10.31", - "192.168.10.30" + "192.168.10.30", + "192.168.10.31" ], "service.type": "zeek", "source.address": "192.168.10.31", diff --git a/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json b/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json index 65345db7957..47c6aace67f 100644 --- a/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json @@ -22,8 +22,8 @@ "network.protocol": "snmp", "network.transport": "udp", "related.ip": [ - "192.168.1.2", - "192.168.1.1" + "192.168.1.1", + "192.168.1.2" ], "service.type": "zeek", "source.address": "192.168.1.2", diff --git a/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json b/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json index 343aa7392e5..e0f16cfc692 100644 --- a/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json @@ -23,8 +23,8 @@ "network.protocol": "ssh", "network.transport": "tcp", "related.ip": [ - "192.168.1.2", - "192.168.1.1" + "192.168.1.1", + "192.168.1.2" ], "service.type": "zeek", "source.address": "192.168.1.2", diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 72ac1dc8e22..db88b09da23 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -65,9 +65,9 @@ "zeek.ssl.established": true, "zeek.ssl.resumed": false, "zeek.ssl.server.cert_chain_fuids": [ - "FebkbHWVCV8rEEEne", "F4BDY41MGUBT6URZMd", - "FWlfEfiHVkv8evDL3" + "FWlfEfiHVkv8evDL3", + "FebkbHWVCV8rEEEne" ], "zeek.ssl.server.issuer.common_name": "DigiCert SHA2 Secure Server CA", "zeek.ssl.server.issuer.country": "US", @@ -147,9 +147,9 @@ "zeek.ssl.established": true, "zeek.ssl.resumed": false, "zeek.ssl.server.cert_chain_fuids": [ - "Fue9H32OmuitQk2zR", + "FEdROj1vUzTGw3BIUa", "FpbiBP215tk2xftxM6", - "FEdROj1vUzTGw3BIUa" + "Fue9H32OmuitQk2zR" ], "zeek.ssl.server.issuer.common_name": "DigiCert SHA2 Secure Server CA", "zeek.ssl.server.issuer.country": "US", diff --git a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json index 3ef709508a3..7070aaf5b2c 100644 --- a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json @@ -25,8 +25,8 @@ "input.type": "log", "log.offset": 0, "related.ip": [ - "132.16.146.79", - "132.16.110.133" + "132.16.110.133", + "132.16.146.79" ], "service.type": "zeek", "source.address": "132.16.146.79", diff --git a/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json b/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json index 603a125ee62..242685ac8f1 100644 --- a/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json @@ -9,69 +9,66 @@ "info" ], "file.x509.alternative_names": [ - "www.bing.com", - "dict.bing.com.cn", - "*.platform.bing.com", - "*.bing.com", - "bing.com", - "ieonline.microsoft.com", - "*.windowssearch.com", - "cn.ieonline.microsoft.com", - "*.origin.bing.com", - "*.mm.bing.net", "*.api.bing.com", - "ecn.dev.virtualearth.net", - "*.cn.bing.net", - "*.cn.bing.com", - "ssl-api.bing.com", - "ssl-api.bing.net", "*.api.bing.net", - "*.bingapis.com", - "bingsandbox.com", - "feedback.microsoft.com", - "insertmedia.bing.office.net", - "r.bat.bing.com", - "*.r.bat.bing.com", - "*.dict.bing.com.cn", - "*.dict.bing.com", - "*.ssl.bing.com", + "*.api.tiles.ditu.live.com", "*.appex.bing.com", - "*.platform.cn.bing.com", - "wp.m.bing.com", - "*.m.bing.com", - "global.bing.com", - "windowssearch.com", - "search.msn.com", + "*.bing.com", + "*.bingapis.com", "*.bingsandbox.com", - "*.api.tiles.ditu.live.com", + "*.cn.bing.com", + "*.cn.bing.net", + "*.dict.bing.com", + "*.dict.bing.com.cn", "*.ditu.live.com", + "*.m.bing.com", + "*.mm.bing.net", + "*.origin.bing.com", + "*.platform.bing.com", + "*.platform.cn.bing.com", + "*.r.bat.bing.com", + "*.ssl.bing.com", "*.t0.tiles.ditu.live.com", "*.t1.tiles.ditu.live.com", "*.t2.tiles.ditu.live.com", "*.t3.tiles.ditu.live.com", "*.tiles.ditu.live.com", + "*.windowssearch.com", "3d.live.com", "api.search.live.com", "beta.search.live.com", + "bing.com", + "bingsandbox.com", + "cn.ieonline.microsoft.com", "cnweb.search.live.com", "dev.live.com", + "dict.bing.com.cn", "ditu.live.com", + "ecn.dev.virtualearth.net", "farecast.live.com", + "feedback.microsoft.com", + "global.bing.com", + "ieonline.microsoft.com", "image.live.com", "images.live.com", + "insertmedia.bing.office.net", + "local.live.com", "local.live.com.au", "localsearch.live.com", "ls4d.search.live.com", "mail.live.com", "mapindia.live.com", - "local.live.com", "maps.live.com", "maps.live.com.au", "mindia.live.com", "news.live.com", "origin.cnweb.search.live.com", "preview.local.live.com", + "r.bat.bing.com", "search.live.com", + "search.msn.com", + "ssl-api.bing.com", + "ssl-api.bing.net", "test.maps.live.com", "video.live.com", "videos.live.com", @@ -79,6 +76,9 @@ "wap.live.com", "webmaster.live.com", "webmasters.live.com", + "windowssearch.com", + "wp.m.bing.com", + "www.bing.com", "www.local.live.com.au", "www.maps.live.com.au" ], @@ -122,69 +122,66 @@ "zeek.x509.certificate.valid.until": "2019-07-10T17:47:08.000Z", "zeek.x509.certificate.version": 3, "zeek.x509.san.dns": [ - "www.bing.com", - "dict.bing.com.cn", - "*.platform.bing.com", - "*.bing.com", - "bing.com", - "ieonline.microsoft.com", - "*.windowssearch.com", - "cn.ieonline.microsoft.com", - "*.origin.bing.com", - "*.mm.bing.net", "*.api.bing.com", - "ecn.dev.virtualearth.net", - "*.cn.bing.net", - "*.cn.bing.com", - "ssl-api.bing.com", - "ssl-api.bing.net", "*.api.bing.net", - "*.bingapis.com", - "bingsandbox.com", - "feedback.microsoft.com", - "insertmedia.bing.office.net", - "r.bat.bing.com", - "*.r.bat.bing.com", - "*.dict.bing.com.cn", - "*.dict.bing.com", - "*.ssl.bing.com", + "*.api.tiles.ditu.live.com", "*.appex.bing.com", - "*.platform.cn.bing.com", - "wp.m.bing.com", - "*.m.bing.com", - "global.bing.com", - "windowssearch.com", - "search.msn.com", + "*.bing.com", + "*.bingapis.com", "*.bingsandbox.com", - "*.api.tiles.ditu.live.com", + "*.cn.bing.com", + "*.cn.bing.net", + "*.dict.bing.com", + "*.dict.bing.com.cn", "*.ditu.live.com", + "*.m.bing.com", + "*.mm.bing.net", + "*.origin.bing.com", + "*.platform.bing.com", + "*.platform.cn.bing.com", + "*.r.bat.bing.com", + "*.ssl.bing.com", "*.t0.tiles.ditu.live.com", "*.t1.tiles.ditu.live.com", "*.t2.tiles.ditu.live.com", "*.t3.tiles.ditu.live.com", "*.tiles.ditu.live.com", + "*.windowssearch.com", "3d.live.com", "api.search.live.com", "beta.search.live.com", + "bing.com", + "bingsandbox.com", + "cn.ieonline.microsoft.com", "cnweb.search.live.com", "dev.live.com", + "dict.bing.com.cn", "ditu.live.com", + "ecn.dev.virtualearth.net", "farecast.live.com", + "feedback.microsoft.com", + "global.bing.com", + "ieonline.microsoft.com", "image.live.com", "images.live.com", + "insertmedia.bing.office.net", + "local.live.com", "local.live.com.au", "localsearch.live.com", "ls4d.search.live.com", "mail.live.com", "mapindia.live.com", - "local.live.com", "maps.live.com", "maps.live.com.au", "mindia.live.com", "news.live.com", "origin.cnweb.search.live.com", "preview.local.live.com", + "r.bat.bing.com", "search.live.com", + "search.msn.com", + "ssl-api.bing.com", + "ssl-api.bing.net", "test.maps.live.com", "video.live.com", "videos.live.com", @@ -192,6 +189,9 @@ "wap.live.com", "webmaster.live.com", "webmasters.live.com", + "windowssearch.com", + "wp.m.bing.com", + "www.bing.com", "www.local.live.com.au", "www.maps.live.com.au" ] diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json index cb63b4bead7..00d413a1487 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json @@ -11,8 +11,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "user", - "creation" + "creation", + "user" ], "fileset.name": "webhook", "input.type": "log", @@ -20,13 +20,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLohghhRgfgrbTayCX6r2Q_qQsQ", - "e2ZHO5RSGqyfrmFnElxw" + "e2ZHO5RSGqyfrmFnElxw", + "uLohghhRgfgrbTayCX6r2Q_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "youramazingemailhere@somemail.com", "user.id": "uLohghhRgfgrbTayCX6r2Q_qQsQ", @@ -51,8 +51,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "webhook", "input.type": "log", @@ -60,13 +60,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "iKoRgfbaTazDX6r2Q_eQsQL", - "eFs_EGRCq6ByEyA73qCA" + "eFs_EGRCq6ByEyA73qCA", + "iKoRgfbaTazDX6r2Q_eQsQL" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.changes.full_name": "Michael Harris", "user.changes.name": "MH", @@ -97,8 +97,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "user", - "change" + "change", + "user" ], "fileset.name": "webhook", "input.type": "log", @@ -106,13 +106,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "gdjfdhjLsuhfvhjd", - "eZbcHO5RSGqyKAUmFnElxw" + "eZbcHO5RSGqyKAUmFnElxw", + "gdjfdhjLsuhfvhjd" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "youremail@someemail.com", "user.id": "gdjfdhjLsuhfvhjd", diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json index 97dfbf0338d..c786b2a2293 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json @@ -16,14 +16,14 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ + "sdfdsfdsKIrrCYw", "z8dfgdfguQrdfgdf", - "z8dfgdfguQrdfgdf", - "sdfdsfdsKIrrCYw" + "z8dfgdfguQrdfgdf" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somememai@gmtsffjdfhail.com", "user.id": "z8dfgdfguQrdfgdf", @@ -55,8 +55,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somememai@gmtsffjdfhail.com", "user.id": "z8dfgdfguQrdfgdf", @@ -88,8 +88,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somememai@gmtsffjdfhail.com", "user.id": "z8dfgdfguQrdfgdf", @@ -117,13 +117,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8dfgdfguQrdfgdf", - "s0hhFOCYw" + "s0hhFOCYw", + "z8dfgdfguQrdfgdf" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somememai@gmtsffjdfhail.com", "user.id": "z8dfgdfguQrdfgdf", @@ -155,8 +155,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somememai@gmtsffjdfhail.com", "user.id": "z8dfgdfguQrdfgdf", @@ -188,8 +188,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somememai@gmtsffjdfhail.com", "user.id": "z8dfgdfguQrdfgdf", diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json index 348ffc2bac6..c9f53ab9ed6 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json @@ -8,8 +8,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -21,8 +21,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someoperatoremail@somekindofmailservice123.com", "user.id": "zfdgdfgdfgfp8uQ", @@ -45,8 +45,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -58,8 +58,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someoperatoremail@somekindofmailservice123.com", "user.id": "zfdgdfgdfgfp8uQ", @@ -82,8 +82,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -95,8 +95,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someoperatoremail@somekindofmailservice123.com", "user.id": "zfdgdfgdfgfp8uQ", diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json index 723a37a326f..aa540fa4d88 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json @@ -21,8 +21,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "z8yCxTTTTSiw02QgCAp8uQ", "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", @@ -44,8 +44,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -57,8 +57,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someemail@email.com", "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", @@ -83,8 +83,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -96,8 +96,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "zoom.us", "url.full": "https://zoom.us/j/00000000", @@ -132,8 +132,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "deletion" + "deletion", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -145,8 +145,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someemail@email.com", "user.id": "BBBBBBBBBB", @@ -184,8 +184,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", @@ -206,8 +206,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -219,8 +219,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", @@ -242,8 +242,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -255,8 +255,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "zoom.us", "url.full": "https://zoom.us/w/someendpointhere", @@ -301,8 +301,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -315,8 +315,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somemail@email.com", "user.id": "Lobbbbbbbbbb_qQsQ", @@ -357,8 +357,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", @@ -399,8 +399,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "Arya Arya", "user.id": "s0AAAASoSE1V8KIFOCYw", @@ -430,8 +430,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -444,8 +444,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "Arya Arya", "user.id": "s0AAAASoSE1V8KIFOCYw", @@ -488,8 +488,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "Shrijana Shrijana", "user.id": "z8yCxjjyTAAAA2QgCfp8uQ", @@ -524,8 +524,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "Tom Harry", "user.id": "zf8yCxjjyTSdteriw02QgCfp8uQ", @@ -561,8 +561,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "shree", "user.id": "iFxeBPYun6SAiWUzBcEkX", @@ -601,8 +601,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "shree", "user.id": "iFxeBPYun6SAiWUzBcEkX", diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json index ee24b279b3c..7be21d421be 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json @@ -8,8 +8,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -22,8 +22,8 @@ "service.type": "zoom", "source.user.id": "cadsd32wA", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPeQ33fdf34YxHMA", "zoom.phone.call_id": "ddd5540", @@ -59,8 +59,8 @@ "service.type": "zoom", "source.user.id": "cajhdsf3wA", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPeQdfg34VYxHMA", "zoom.phone.call_id": "684445540", @@ -83,8 +83,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -97,8 +97,8 @@ "service.type": "zoom", "source.user.id": "z8yCxjgjsuyd58uQ", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "cbvxnYyO30GVYxHMA", "zoom.phone.call_id": "68sdsasdda7", @@ -133,8 +133,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPsjdhgffgHMA", "zoom.phone.answer_start_time": "2020-07-22T01:42:04Z", @@ -158,8 +158,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -171,8 +171,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPeQjuh6768MA", "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", @@ -195,8 +195,8 @@ "event.start": "2020-07-22T21:09:20Z", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -208,8 +208,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPeQjuh6768MA", "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", @@ -233,8 +233,8 @@ "event.start": "2020-07-22T21:09:20Z", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -246,8 +246,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPeQjuh6768MA", "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", @@ -283,8 +283,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "MKDRWo34535wow", "zoom.phone.call_end_time": "2020-07-22T21:06:39Z", @@ -317,8 +317,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "testurl.com", "url.extension": "mp4", @@ -357,8 +357,8 @@ "observer.vendor": "Zoom", "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPebnxvbdn342MA", "zoom.phone.user_id": "caddsfsdfv_VaHE53wA" @@ -381,8 +381,8 @@ "observer.vendor": "Zoom", "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPeQt3543hvxzc", "zoom.phone.user_id": "z8sdfsdfds3uQ" diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json index a0296121e1a..52ce9f73d50 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json @@ -22,8 +22,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", @@ -46,8 +46,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -59,8 +59,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", @@ -83,8 +83,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -96,8 +96,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", @@ -121,8 +121,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -134,8 +134,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.id": "uLobbbbbbbbbb_qQsQ", "zoom.account_id": "lAAAAAAAAAAAAA", @@ -159,8 +159,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -172,8 +172,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "zoom.us", "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", @@ -203,8 +203,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -216,8 +216,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "shrifdfdh@kjdmail.com", "user.id": "zdhghgCfp8uQ", @@ -242,8 +242,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "deletion" + "deletion", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -255,8 +255,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "zoom.us", "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", @@ -285,8 +285,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "deletion" + "deletion", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -298,8 +298,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "zoom.us", "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", @@ -328,8 +328,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -341,8 +341,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "zoom.us", "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", @@ -371,8 +371,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -384,8 +384,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "url.domain": "zoom.us", "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", @@ -414,8 +414,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -423,13 +423,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ", - "U0BBBBBBBBBBfrUz1Q" + "U0BBBBBBBBBBfrUz1Q", + "uLobbbbbbbbbb_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "coolemail@email.com", "user.full_name": "Cool Person", @@ -457,8 +457,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "allowed" + "allowed", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -466,13 +466,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ", - "U0BBBBBBBBBBfrUz1Q" + "U0BBBBBBBBBBfrUz1Q", + "uLobbbbbbbbbb_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "coolemail@email.com", "user.full_name": "Cool Person", @@ -500,8 +500,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "denied", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -509,13 +509,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ", - "U0BBBBBBBBBBfrUz1Q" + "U0BBBBBBBBBBfrUz1Q", + "uLobbbbbbbbbb_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "coolemail@email.com", "user.full_name": "Cool Person", diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json index f643dda0471..16ed5c7c5df 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json @@ -20,8 +20,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "anawesomeuser@email.com", "user.target.email": "henrysemail@email.com", @@ -60,8 +60,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "maria@maria.developer.dfgfdgf", "user.full_name": "Maria CoolPerson", @@ -85,8 +85,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -99,8 +99,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "shrija2016+dev_ma@gmail.com", "user.id": "uLobbbbbbbb_qQsQ", @@ -126,8 +126,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -135,13 +135,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ", - "uL34AAbbbbAAAAAAQsQ" + "uL34AAbbbbAAAAAAQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "iamtheoperator@gmail.com", "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", @@ -167,8 +167,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -181,8 +181,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "somememail@randommailer28.com", "user.id": "fdhjfdhsj536274gfd", @@ -207,8 +207,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -216,13 +216,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxjabcdEFGHfp8uQ", - "abcD3ojfdbjfg" + "abcD3ojfdbjfg", + "z8yCxjabcdEFGHfp8uQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "anawesomeuser@email.com", "user.id": "z8yCxjabcdEFGHfp8uQ", @@ -250,8 +250,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -259,13 +259,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxjabcdEFGHfp8uQ", - "abcD3ojfdbjfg" + "abcD3ojfdbjfg", + "z8yCxjabcdEFGHfp8uQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "anawesomeuser@email.com", "user.id": "z8yCxjabcdEFGHfp8uQ", @@ -293,8 +293,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -302,13 +302,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxjabcdEFGHfp8uQ", - "abcD3ojfdbjfg" + "abcD3ojfdbjfg", + "z8yCxjabcdEFGHfp8uQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "anawesomeuser@email.com", "user.id": "z8yCxjabcdEFGHfp8uQ", @@ -345,13 +345,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxjabcdEFGHfp8uQ", - "abcD3ojfdbjfg" + "abcD3ojfdbjfg", + "z8yCxjabcdEFGHfp8uQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "anawesomeuser@email.com", "user.id": "z8yCxjabcdEFGHfp8uQ", @@ -379,8 +379,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -392,8 +392,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "sfdhfghfgh@dkjdfd.com", "user.id": "z8ycx1223fq", @@ -414,8 +414,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "creation", - "change" + "change", + "creation" ], "fileset.name": "webhook", "input.type": "log", @@ -427,8 +427,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "sdfsgdfg@fjghg.ghm", "user.id": "z8aggp8uq", @@ -465,8 +465,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "awesomeuser@awesomemeail.ghkgf", "user.id": "djkglfdgkjdflghfdpe", @@ -501,8 +501,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "awesomeuser@awesomemeail.ghkgf", "user.id": "djkglfdgkjdflghfdpe", diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json index 0c59a8beb21..42c54450c79 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json @@ -8,8 +8,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -21,8 +21,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someemail@email.com", "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", @@ -47,8 +47,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -60,8 +60,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someemail@email.com", "user.id": "BBBBBBBBBB", @@ -91,8 +91,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "deletion" + "deletion", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -104,8 +104,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someemail@email.com", "user.id": "uLoRgfbbTayCX6r2Q_qQsQ", @@ -143,8 +143,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someemail@email.com", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", @@ -167,8 +167,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "end" + "end", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -180,8 +180,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "someemail@email.com", "zoom.account_id": "o8KK_AAACq6BBEyA70CA", @@ -216,8 +216,8 @@ ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.webinar.duration": 60, "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", @@ -247,13 +247,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxTTTTSiw02QgCAp8uQ", - "s0AAAASoSE1V8KIFOCYw" + "s0AAAASoSE1V8KIFOCYw", + "z8yCxTTTTSiw02QgCAp8uQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "Arya Arya", "user.id": "s0AAAASoSE1V8KIFOCYw", @@ -293,13 +293,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "z8yCxTTTTSiw02QgCAp8uQ", - "s0AAAASoSE1V8KIFOCYw" + "s0AAAASoSE1V8KIFOCYw", + "z8yCxTTTTSiw02QgCAp8uQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "Arya Arya", "user.id": "s0AAAASoSE1V8KIFOCYw", @@ -330,8 +330,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "creation" + "creation", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -339,13 +339,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ", - "U0BBBBBBBBBBfrUz1Q" + "U0BBBBBBBBBBfrUz1Q", + "uLobbbbbbbbbb_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "coolemail@email.com", "user.full_name": "Cool Person", @@ -388,9 +388,9 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", "allowed", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -399,13 +399,13 @@ "observer.vendor": "Zoom", "related.user": [ "Lobbbbbbbbbb_qQsQ", - "uLobbbbbbbbbb_qQsQ", - "U0BBBBBBBBBBfrUz1Q" + "U0BBBBBBBBBBfrUz1Q", + "uLobbbbbbbbbb_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "coolemail@email.com", "user.full_name": "Cool Person", @@ -435,9 +435,9 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", + "change", "denied", - "change" + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -445,13 +445,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ", - "U0BBBBBBBBBBfrUz1Q" + "U0BBBBBBBBBBfrUz1Q", + "uLobbbbbbbbbb_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "coolemail@email.com", "user.full_name": "Cool Person", @@ -480,8 +480,8 @@ "event.module": "zoom", "event.timezone": "-02:00", "event.type": [ - "info", - "change" + "change", + "info" ], "fileset.name": "webhook", "input.type": "log", @@ -489,13 +489,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLobbbbbbbbbb_qQsQ", - "U0BBBBBBBBBBfrUz1Q" + "U0BBBBBBBBBBfrUz1Q", + "uLobbbbbbbbbb_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.email": "coolemail@email.com", "user.full_name": "Cool Person", @@ -532,13 +532,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ", - "iFxeBPYun6SAiWUzBcEkX" + "iFxeBPYun6SAiWUzBcEkX", + "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "shree", "user.id": "iFxeBPYun6SAiWUzBcEkX", @@ -574,13 +574,13 @@ "observer.product": "Webhook", "observer.vendor": "Zoom", "related.user": [ - "uLoRgfbbTayCX6r2Q_qQsQ", - "iFxeBPYun6SAiWUzBcEkX" + "iFxeBPYun6SAiWUzBcEkX", + "uLoRgfbbTayCX6r2Q_qQsQ" ], "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "user.full_name": "shree", "user.id": "iFxeBPYun6SAiWUzBcEkX", diff --git a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json index 0d567d8ccd6..11e11b476ed 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json @@ -14,8 +14,8 @@ "observer.vendor": "Zoom", "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPAbcdefyZslakjflP", "zoom.zoomroom.alert_kind": 1, @@ -42,8 +42,8 @@ "observer.vendor": "Zoom", "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "EPAbcdefyZslakjflP", "zoom.zoomroom.alert_kind": 1, @@ -74,8 +74,8 @@ "observer.vendor": "Zoom", "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "vhdnmf673q2543rfhgsca", "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", @@ -106,8 +106,8 @@ "observer.vendor": "Zoom", "service.type": "zoom", "tags": [ - "zoom-webhook", - "forwarded" + "forwarded", + "zoom-webhook" ], "zoom.account_id": "vhdnmf673q2543rfhgsca", "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 7e56914e2b8..e19c3b8d2be 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -41,8 +41,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "pisciv", - "Blocked" + "Blocked", + "pisciv" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -62,8 +62,8 @@ "10.176.10.114" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "htm", @@ -142,8 +142,8 @@ "10.26.46.95" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.net", "url.extension": "jpg", @@ -224,8 +224,8 @@ "10.254.146.57" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.com", "url.extension": "gif", @@ -306,8 +306,8 @@ "10.252.125.53" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.org", "url.extension": "jpg", @@ -352,8 +352,8 @@ "ore2933.www.test" ], "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -388,8 +388,8 @@ "10.136.153.149" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "gif", @@ -434,8 +434,8 @@ "ollit4105.mail.localdomain" ], "related.ip": [ - "10.66.250.92", - "10.183.16.166" + "10.183.16.166", + "10.66.250.92" ], "related.user": [ "tessec" @@ -449,8 +449,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "ist", - "Allowed" + "Allowed", + "ist" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -470,8 +470,8 @@ "10.66.250.92" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "jpg", @@ -531,8 +531,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "dun", - "Blocked" + "Blocked", + "dun" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -552,8 +552,8 @@ "10.123.104.59" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "txt", @@ -634,8 +634,8 @@ "10.74.17.5" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.net", "url.extension": "jpg", @@ -716,8 +716,8 @@ "10.25.192.202" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.net", "url.extension": "txt", @@ -777,8 +777,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -798,8 +798,8 @@ "10.135.225.244" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "gif", @@ -880,8 +880,8 @@ "10.19.145.131" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "htm", @@ -941,8 +941,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "lorsitam", - "Allowed" + "Allowed", + "lorsitam" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -962,8 +962,8 @@ "10.181.80.139" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.net", "url.extension": "htm", @@ -1008,8 +1008,8 @@ "uamei2493.www.test" ], "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "related.user": [ "ratvolu" @@ -1023,8 +1023,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "veni", - "Allowed" + "Allowed", + "veni" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1044,8 +1044,8 @@ "10.167.98.76" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "html", @@ -1126,8 +1126,8 @@ "10.135.160.125" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.org", "url.extension": "html", @@ -1187,8 +1187,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "ntoccae", - "Allowed" + "Allowed", + "ntoccae" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1208,8 +1208,8 @@ "10.111.187.12" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.net", "url.extension": "html", @@ -1254,8 +1254,8 @@ "tlab5981.www.host" ], "related.ip": [ - "10.5.126.127", - "10.252.124.150" + "10.252.124.150", + "10.5.126.127" ], "related.user": [ "inibusB" @@ -1269,8 +1269,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "xeacomm", - "Allowed" + "Allowed", + "xeacomm" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1290,8 +1290,8 @@ "10.252.124.150" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.com", "url.extension": "txt", @@ -1372,8 +1372,8 @@ "10.91.126.231" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.net", "url.extension": "jpg", @@ -1418,8 +1418,8 @@ "oditem5255.api.localdomain" ], "related.ip": [ - "10.135.82.97", - "10.107.251.87" + "10.107.251.87", + "10.135.82.97" ], "related.user": [ "str" @@ -1454,8 +1454,8 @@ "10.107.251.87" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "gif", @@ -1515,8 +1515,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "oNemoeni", "rsa.misc.action": [ - "nre", - "Blocked" + "Blocked", + "nre" ], "rsa.misc.category": "labo", "rsa.misc.filter": "tutlab", @@ -1536,8 +1536,8 @@ "10.215.205.216" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.com", "url.extension": "gif", @@ -1582,8 +1582,8 @@ "eacommod1930.internal.lan" ], "related.ip": [ - "10.29.155.171", - "10.229.83.165" + "10.229.83.165", + "10.29.155.171" ], "related.user": [ "ulapar" @@ -1618,8 +1618,8 @@ "10.229.83.165" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.org", "url.extension": "gif", @@ -1700,8 +1700,8 @@ "10.161.148.64" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.com", "url.extension": "htm", @@ -1761,8 +1761,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "nte", - "Allowed" + "Allowed", + "nte" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1782,8 +1782,8 @@ "10.203.65.161" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.org", "url.extension": "html", @@ -1828,8 +1828,8 @@ "licabo1493.api.corp" ], "related.ip": [ - "10.86.22.67", - "10.218.98.29" + "10.218.98.29", + "10.86.22.67" ], "related.user": [ "olori" @@ -1864,8 +1864,8 @@ "10.218.98.29" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.org", "url.extension": "html", @@ -1925,8 +1925,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "gnaal", - "Allowed" + "Allowed", + "gnaal" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1946,8 +1946,8 @@ "10.24.111.229" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.com", "url.extension": "gif", @@ -1992,8 +1992,8 @@ "sitam5077.internal.host" ], "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" ], "related.user": [ "boreetdo" @@ -2028,8 +2028,8 @@ "10.32.39.220" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.org", "url.extension": "jpg", @@ -2110,8 +2110,8 @@ "10.88.172.34" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "html", @@ -2156,8 +2156,8 @@ "lloin4019.www.localhost" ], "related.ip": [ - "10.238.224.49", - "10.130.241.232" + "10.130.241.232", + "10.238.224.49" ], "related.user": [ "onse" @@ -2192,8 +2192,8 @@ "10.238.224.49" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.org", "url.extension": "txt", @@ -2253,8 +2253,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "tatem", - "Allowed" + "Allowed", + "tatem" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2274,8 +2274,8 @@ "10.2.67.127" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.com", "url.extension": "htm", @@ -2320,8 +2320,8 @@ "saquaea6344.www.invalid" ], "related.ip": [ - "10.204.214.251", - "10.101.38.213" + "10.101.38.213", + "10.204.214.251" ], "related.user": [ "ueipsa" @@ -2356,8 +2356,8 @@ "10.101.38.213" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "jpg", @@ -2438,8 +2438,8 @@ "10.101.85.169" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "jpg", @@ -2499,8 +2499,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mag", "rsa.misc.action": [ - "tali", - "Allowed" + "Allowed", + "tali" ], "rsa.misc.category": "oconse", "rsa.misc.filter": "npr", @@ -2520,8 +2520,8 @@ "10.242.182.193" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.com", "url.extension": "gif", @@ -2602,8 +2602,8 @@ "10.80.57.247" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.net", "url.extension": "jpg", @@ -2648,8 +2648,8 @@ "lapar1599.www.lan" ], "related.ip": [ - "10.193.66.155", - "10.106.77.138" + "10.106.77.138", + "10.193.66.155" ], "related.user": [ "iusmodt" @@ -2663,8 +2663,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Section", - "Allowed" + "Allowed", + "Section" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2684,8 +2684,8 @@ "10.106.77.138" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.com", "url.extension": "txt", @@ -2730,8 +2730,8 @@ "aquioff3853.www.localdomain" ], "related.ip": [ - "10.54.159.1", - "10.236.230.136" + "10.236.230.136", + "10.54.159.1" ], "related.user": [ "mUteni" @@ -2766,8 +2766,8 @@ "10.54.159.1" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "txt", @@ -2848,8 +2848,8 @@ "10.131.246.134" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "gif", @@ -2909,8 +2909,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "doconse", - "Blocked" + "Blocked", + "doconse" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2930,8 +2930,8 @@ "10.166.10.42" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "html", @@ -3012,8 +3012,8 @@ "10.128.184.241" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "html", @@ -3094,8 +3094,8 @@ "10.213.57.165" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.net", "url.extension": "html", @@ -3176,8 +3176,8 @@ "10.55.81.14" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.org", "url.extension": "gif", @@ -3222,8 +3222,8 @@ "pariatur7238.www5.invalid" ], "related.ip": [ - "10.33.144.10", - "10.202.224.79" + "10.202.224.79", + "10.33.144.10" ], "related.user": [ "rios" @@ -3237,8 +3237,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "quu", - "Blocked" + "Blocked", + "quu" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -3258,8 +3258,8 @@ "10.202.224.79" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.org", "url.extension": "gif", @@ -3319,8 +3319,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "quid", - "Allowed" + "Allowed", + "quid" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3340,8 +3340,8 @@ "10.20.124.138" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "jpg", @@ -3422,8 +3422,8 @@ "10.118.177.136" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.net", "url.extension": "html", @@ -3483,8 +3483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "edutp", - "Allowed" + "Allowed", + "edutp" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3504,8 +3504,8 @@ "10.125.120.97" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "htm", @@ -3586,8 +3586,8 @@ "10.137.164.122" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.org", "url.extension": "htm", @@ -3668,8 +3668,8 @@ "10.156.177.53" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "gif", @@ -3729,8 +3729,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3750,8 +3750,8 @@ "10.111.249.184" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "txt", @@ -3796,8 +3796,8 @@ "idexeac1655.internal.test" ], "related.ip": [ - "10.180.150.47", - "10.141.195.13" + "10.141.195.13", + "10.180.150.47" ], "related.user": [ "taliq" @@ -3811,8 +3811,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "uip", - "Allowed" + "Allowed", + "uip" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3832,8 +3832,8 @@ "10.180.150.47" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "htm", @@ -3878,8 +3878,8 @@ "laboree3880.api.invalid" ], "related.ip": [ - "10.255.40.12", - "10.166.195.20" + "10.166.195.20", + "10.255.40.12" ], "related.user": [ "lamcolab" @@ -3914,8 +3914,8 @@ "10.255.40.12" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.org", "url.extension": "gif", @@ -3994,8 +3994,8 @@ "10.100.143.226" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "html", @@ -4040,8 +4040,8 @@ "ine3181.www.invalid" ], "related.ip": [ - "10.121.9.5", - "10.119.53.68" + "10.119.53.68", + "10.121.9.5" ], "related.user": [ "ssec" @@ -4076,8 +4076,8 @@ "10.121.9.5" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.com", "url.extension": "htm", @@ -4137,8 +4137,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "dolor", - "Blocked" + "Blocked", + "dolor" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -4158,8 +4158,8 @@ "10.31.153.177" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "jpg", @@ -4202,8 +4202,8 @@ "pitl6126.www.localdomain" ], "related.ip": [ - "10.243.182.229", - "10.229.102.140" + "10.229.102.140", + "10.243.182.229" ], "related.user": [ "duntut" @@ -4238,8 +4238,8 @@ "10.229.102.140" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.org", "url.extension": "jpg", @@ -4316,8 +4316,8 @@ "10.120.138.109" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.com", "url.extension": "jpg", @@ -4398,8 +4398,8 @@ "10.133.102.57" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.org", "url.extension": "html", @@ -4444,8 +4444,8 @@ "cia5990.api.localdomain" ], "related.ip": [ - "10.91.2.225", - "10.89.41.97" + "10.89.41.97", + "10.91.2.225" ], "related.user": [ "tem" @@ -4480,8 +4480,8 @@ "10.89.41.97" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.org", "url.extension": "gif", @@ -4562,8 +4562,8 @@ "10.7.18.226" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.net", "url.extension": "jpg", @@ -4608,8 +4608,8 @@ "pici1525.www5.corp" ], "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "related.user": [ "inrepreh" @@ -4623,8 +4623,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "niam", - "Allowed" + "Allowed", + "niam" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4644,8 +4644,8 @@ "10.155.252.123" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "jpg", @@ -4690,8 +4690,8 @@ "dolo6418.internal.host" ], "related.ip": [ - "10.220.1.249", - "10.190.42.245" + "10.190.42.245", + "10.220.1.249" ], "related.user": [ "olup" @@ -4705,8 +4705,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "aerat", - "Blocked" + "Blocked", + "aerat" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4726,8 +4726,8 @@ "10.220.1.249" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "html", @@ -4770,8 +4770,8 @@ "imveni193.www5.host" ], "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "related.user": [ "oremeu" @@ -4806,8 +4806,8 @@ "10.55.38.153" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "txt", @@ -4888,8 +4888,8 @@ "10.250.48.82" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "jpg", @@ -4970,8 +4970,8 @@ "10.60.52.219" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "jpg", @@ -5027,8 +5027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "turad", - "Allowed" + "Allowed", + "turad" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -5048,8 +5048,8 @@ "10.122.102.156" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "gif", @@ -5094,8 +5094,8 @@ "iatnulap7662.internal.local" ], "related.ip": [ - "10.248.108.55", - "10.120.215.174" + "10.120.215.174", + "10.248.108.55" ], "related.user": [ "prehend" @@ -5130,8 +5130,8 @@ "10.248.108.55" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.org", "url.extension": "txt", @@ -5210,8 +5210,8 @@ "10.15.254.181" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.net", "url.extension": "htm", @@ -5256,8 +5256,8 @@ "onorumet4871.lan" ], "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" ], "related.user": [ "equamn" @@ -5292,8 +5292,8 @@ "10.129.66.196" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.com", "url.extension": "txt", @@ -5353,8 +5353,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "squirat", - "Blocked" + "Blocked", + "squirat" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -5374,8 +5374,8 @@ "10.185.107.27" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.org", "url.extension": "gif", @@ -5435,8 +5435,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -5456,8 +5456,8 @@ "10.138.0.214" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "htm", @@ -5538,8 +5538,8 @@ "10.12.130.224" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "htm", @@ -5584,8 +5584,8 @@ "quia7214.example" ], "related.ip": [ - "10.91.20.27", - "10.193.152.42" + "10.193.152.42", + "10.91.20.27" ], "related.user": [ "edict" @@ -5620,8 +5620,8 @@ "10.91.20.27" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "html", @@ -5666,8 +5666,8 @@ "aturExc7343.invalid" ], "related.ip": [ - "10.55.192.102", - "10.146.69.38" + "10.146.69.38", + "10.55.192.102" ], "related.user": [ "quia" @@ -5681,8 +5681,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "userro", - "Allowed" + "Allowed", + "userro" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5702,8 +5702,8 @@ "10.55.192.102" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "gif", @@ -5784,8 +5784,8 @@ "10.124.177.226" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.org", "url.extension": "gif", @@ -5866,8 +5866,8 @@ "10.146.228.249" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "html", @@ -5912,8 +5912,8 @@ "agna5654.www.corp" ], "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" ], "related.user": [ "litesse" @@ -5927,8 +5927,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "iqu", - "Allowed" + "Allowed", + "iqu" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5948,8 +5948,8 @@ "10.203.47.23" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.com", "url.extension": "jpg", @@ -6009,8 +6009,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "tutl", - "Blocked" + "Blocked", + "tutl" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -6030,8 +6030,8 @@ "10.24.23.209" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.com", "url.extension": "gif", @@ -6112,8 +6112,8 @@ "10.211.66.68" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.net", "url.extension": "txt", @@ -6194,8 +6194,8 @@ "10.209.203.156" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "jpg", @@ -6240,8 +6240,8 @@ "tiumtot3611.internal.localdomain" ], "related.ip": [ - "10.84.9.150", - "10.107.68.114" + "10.107.68.114", + "10.84.9.150" ], "related.user": [ "sequatDu" @@ -6276,8 +6276,8 @@ "10.107.68.114" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.net", "url.extension": "gif", @@ -6358,8 +6358,8 @@ "10.124.119.48" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "internal.example.com", "url.extension": "txt", @@ -6419,8 +6419,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "antium", - "Allowed" + "Allowed", + "antium" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -6440,8 +6440,8 @@ "10.223.11.164" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "htm", @@ -6501,8 +6501,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "rinc", - "Blocked" + "Blocked", + "rinc" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -6522,8 +6522,8 @@ "10.121.181.243" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.org", "url.extension": "jpg", @@ -6568,8 +6568,8 @@ "uame1361.api.local" ], "related.ip": [ - "10.90.20.202", - "10.10.93.133" + "10.10.93.133", + "10.90.20.202" ], "related.user": [ "evita" @@ -6604,8 +6604,8 @@ "10.10.93.133" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "gif", @@ -6686,8 +6686,8 @@ "10.77.102.206" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "gif", @@ -6732,8 +6732,8 @@ "elit912.www5.test" ], "related.ip": [ - "10.75.144.118", - "10.176.233.249" + "10.176.233.249", + "10.75.144.118" ], "related.user": [ "isnos" @@ -6768,8 +6768,8 @@ "10.75.144.118" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "example.org", "url.extension": "txt", @@ -6850,8 +6850,8 @@ "10.236.55.236" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.net", "url.extension": "jpg", @@ -6911,8 +6911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "uaUten", - "Blocked" + "Blocked", + "uaUten" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6932,8 +6932,8 @@ "10.13.125.101" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.net", "url.extension": "html", @@ -6978,8 +6978,8 @@ "ficiad1312.api.host" ], "related.ip": [ - "10.230.61.102", - "10.141.66.163" + "10.141.66.163", + "10.230.61.102" ], "related.user": [ "umdolo" @@ -7014,8 +7014,8 @@ "10.230.61.102" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "jpg", @@ -7060,8 +7060,8 @@ "itaspe921.mail.invalid" ], "related.ip": [ - "10.224.249.228", - "10.10.25.145" + "10.10.25.145", + "10.224.249.228" ], "related.user": [ "mnisiuta" @@ -7096,8 +7096,8 @@ "10.224.249.228" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.org", "url.extension": "html", @@ -7178,8 +7178,8 @@ "10.247.255.107" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.com", "url.extension": "gif", @@ -7260,8 +7260,8 @@ "10.250.102.42" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "htm", @@ -7342,8 +7342,8 @@ "10.154.188.132" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.com", "url.extension": "htm", @@ -7420,8 +7420,8 @@ "10.138.193.38" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.com", "url.extension": "gif", @@ -7498,8 +7498,8 @@ "10.172.159.251" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "api.example.net", "url.extension": "html", @@ -7544,8 +7544,8 @@ "edutpe1255.internal.lan" ], "related.ip": [ - "10.98.126.206", - "10.195.62.230" + "10.195.62.230", + "10.98.126.206" ], "related.user": [ "ptassit" @@ -7580,8 +7580,8 @@ "10.98.126.206" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.com", "url.extension": "txt", @@ -7662,8 +7662,8 @@ "10.84.140.5" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.org", "url.extension": "htm", @@ -7708,8 +7708,8 @@ "nos4114.api.lan" ], "related.ip": [ - "10.31.58.6", - "10.198.84.190" + "10.198.84.190", + "10.31.58.6" ], "related.user": [ "unt" @@ -7744,8 +7744,8 @@ "10.198.84.190" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.net", "url.extension": "gif", @@ -7826,8 +7826,8 @@ "10.131.81.172" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www5.example.org", "url.extension": "gif", @@ -7887,8 +7887,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "temvele", - "Blocked" + "Blocked", + "temvele" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7908,8 +7908,8 @@ "10.152.217.174" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.org", "url.extension": "gif", @@ -7954,8 +7954,8 @@ "fugiatqu7793.www.localdomain" ], "related.ip": [ - "10.26.149.221", - "10.217.193.148" + "10.217.193.148", + "10.26.149.221" ], "related.user": [ "uisa" @@ -7990,8 +7990,8 @@ "10.217.193.148" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.org", "url.extension": "jpg", @@ -8036,8 +8036,8 @@ "onsequ3168.www.corp" ], "related.ip": [ - "10.172.17.6", - "10.109.192.53" + "10.109.192.53", + "10.172.17.6" ], "related.user": [ "eprehen" @@ -8072,8 +8072,8 @@ "10.172.17.6" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "www.example.com", "url.extension": "htm", @@ -8133,8 +8133,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "volup", - "Blocked" + "Blocked", + "volup" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", @@ -8154,8 +8154,8 @@ "10.135.38.213" ], "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.domain": "mail.example.com", "url.extension": "txt", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index bdf9957b55d..f8ce01de30d 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -48,8 +48,8 @@ "rsa.web.fqdn": "", "service.type": "zscaler", "tags": [ - "zscaler.zia", - "forwarded" + "forwarded", + "zscaler.zia" ], "url.original": "", "user.name": "",