diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 61f13ea39e5..d9152a8a3bc 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -300,6 +300,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] - When using the `json.*` setting available on some inputs, decoded fields are now deep-merged into existing event. {pull}17958[17958] - Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] +- Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] *Heartbeat* diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml index 28a93562b90..f35881687e8 100644 --- a/filebeat/module/osquery/result/config/result.yml +++ b/filebeat/module/osquery/result/config/result.yml @@ -6,3 +6,8 @@ paths: exclude_files: [".gz$"] json.overwrite_keys: true json.add_error_key: true +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index 1c03e6eb190..905cba69915 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -42,6 +42,164 @@ "target_field": "osquery.result.calendar_time", "ignore_missing": true } + }, + { + "set": { + "field": "event.kind", + "value": "event" + } + }, + { + "set": { + "field": "event.type", + "value": "info" + } + }, + { + "set": { + "field": "event.action", + "value": "{{osquery.result.action}}", + "if": "ctx?.osquery?.result?.action != null" + } + }, + { + "date": { + "field": "osquery.result.columns.atime", + "target_field": "file.accessed", + "formats": ["UNIX"], + "ignore_failure": true, + "if": "ctx?.osquery?.result?.columns?.atime != null" + } + }, + { + "date": { + "field": "osquery.result.columns.ctime", + "target_field": "file.created", + "formats": ["UNIX"], + "ignore_failure": true, + "if": "ctx?.osquery?.result?.columns?.ctime != null" + } + }, + { + "date": { + "field": "osquery.result.columns.mtime", + "target_field": "file.mtime", + "formats": ["UNIX"], + "ignore_failure": true, + "if": "ctx?.osquery?.result?.columns?.mtime != null" + } + }, + { + "set": { + "field": "file.directory", + "value": "{{osquery.result.columns.directory}}", + "if": "ctx?.osquery?.result?.columns?.directory != null" + } + }, + { + "set": { + "field": "file.name", + "value": "{{osquery.result.columns.filename}}", + "if": "ctx?.osquery?.result?.columns?.filename != null" + } + }, + { + "set": { + "field": "file.gid", + "value": "{{osquery.result.columns.gid}}", + "if": "ctx?.osquery?.result?.columns?.gid != null" + } + }, + { + "set": { + "field": "file.inode", + "value": "{{osquery.result.columns.inode}}", + "if": "ctx?.osquery?.result?.columns?.inode != null" + } + }, + { + "set": { + "field": "file.mode", + "value": "{{osquery.result.columns.mode}}", + "if": "ctx?.osquery?.result?.columns?.mode != null" + } + }, + { + "set": { + "field": "file.path", + "value": "{{osquery.result.columns.path}}", + "if": "ctx?.osquery?.result?.columns?.path != null" + } + }, + { + "set": { + "field": "file.size", + "value": "{{osquery.result.columns.size}}", + "if": "ctx?.osquery?.result?.columns?.size != null" + } + }, + { + "set": { + "field": "file.type", + "value": "{{osquery.result.columns.type}}", + "if": "ctx?.osquery?.result?.columns?.type != null" + } + }, + { + "set": { + "field": "file.uid", + "value": "{{osquery.result.columns.uid}}", + "if": "ctx?.osquery?.result?.columns?.uid != null" + } + }, + { + "set": { + "field": "user.name", + "value": "{{osquery.result.decorations.username}}", + "if": "ctx?.osquery?.result?.decorations?.username != null" + } + }, + { + "append": { + "field": "related.user", + "value": "{{user.name}}", + "if": "ctx?.user?.name != null" + } + }, + { + "set": { + "field": "host.hostname", + "value": "{{osquery.result.host_identifier}}", + "if": "ctx?.osquery?.result?.host_identifier != null" + } + }, + { + "set": { + "field": "host.id", + "value": "{{osquery.result.decorations.host_uuid}}", + "if": "ctx?.osquery?.result?.decorations?.host_uuid != null" + } + }, + { + "set": { + "field": "process.name", + "value": "{{osquery.result.columns.process}}", + "if": "ctx?.osquery?.result?.columns?.process != null" + } + }, + { + "set": { + "field": "url.full", + "value": "{{osquery.result.columns.source_url}}", + "if": "ctx?.osquery?.result?.columns?.source_url != null && ctx.osquery.result.columns.source_url != 'null'" + } + }, + { + "set": { + "field": "rule.name", + "value": "{{osquery.result.name}}", + "if": "ctx?.osquery?.result?.name != null" + } } ], "on_failure" : [{ diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json index 3833a9c040e..5e03b82457b 100644 --- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -1,9 +1,14 @@ [ { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 0, "osquery.result.action": "added", @@ -24,13 +29,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 490, "osquery.result.action": "added", @@ -51,13 +62,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 981, "osquery.result.action": "added", @@ -78,13 +95,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1469, "osquery.result.action": "added", @@ -105,13 +128,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1961, "osquery.result.action": "added", @@ -132,13 +161,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2456, "osquery.result.action": "added", @@ -159,13 +194,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2941, "osquery.result.action": "added", @@ -186,13 +227,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3430, "osquery.result.action": "added", @@ -213,13 +260,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3917, "osquery.result.action": "added", @@ -240,13 +293,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4411, "osquery.result.action": "added", @@ -267,13 +326,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4901, "osquery.result.action": "added", @@ -294,13 +359,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5393, "osquery.result.action": "added", @@ -321,13 +392,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5881, "osquery.result.action": "added", @@ -348,13 +425,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6375, "osquery.result.action": "added", @@ -375,13 +458,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6865, "osquery.result.action": "added", @@ -402,13 +491,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7353, "osquery.result.action": "added", @@ -429,13 +524,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7841, "osquery.result.action": "added", @@ -456,13 +557,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8334, "osquery.result.action": "added", @@ -483,13 +590,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8826, "osquery.result.action": "added", @@ -510,13 +623,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9319, "osquery.result.action": "added", @@ -537,13 +656,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9805, "osquery.result.action": "added", @@ -564,13 +689,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10292, "osquery.result.action": "added", @@ -591,13 +722,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10780, "osquery.result.action": "added", @@ -618,13 +755,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11269, "osquery.result.action": "added", @@ -645,13 +788,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11762, "osquery.result.action": "added", @@ -672,13 +821,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12249, "osquery.result.action": "added", @@ -699,13 +854,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12743, "osquery.result.action": "added", @@ -726,13 +887,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13227, "osquery.result.action": "added", @@ -753,13 +920,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13717, "osquery.result.action": "added", @@ -780,13 +953,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14207, "osquery.result.action": "added", @@ -807,13 +986,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14695, "osquery.result.action": "added", @@ -834,13 +1019,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15181, "osquery.result.action": "added", @@ -861,13 +1052,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15675, "osquery.result.action": "added", @@ -888,13 +1085,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16168, "osquery.result.action": "added", @@ -915,13 +1118,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16656, "osquery.result.action": "added", @@ -942,13 +1151,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17143, "osquery.result.action": "added", @@ -969,13 +1184,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17625, "osquery.result.action": "added", @@ -996,13 +1217,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18119, "osquery.result.action": "added", @@ -1023,13 +1250,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18601, "osquery.result.action": "added", @@ -1050,13 +1283,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19096, "osquery.result.action": "added", @@ -1077,13 +1316,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19591, "osquery.result.action": "added", @@ -1104,13 +1349,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20074, "osquery.result.action": "added", @@ -1131,13 +1382,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20565, "osquery.result.action": "added", @@ -1158,13 +1415,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21050, "osquery.result.action": "added", @@ -1185,13 +1448,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21555, "osquery.result.action": "added", @@ -1212,13 +1481,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22045, "osquery.result.action": "added", @@ -1239,13 +1514,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22540, "osquery.result.action": "added", @@ -1266,13 +1547,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23030, "osquery.result.action": "added", @@ -1293,13 +1580,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23522, "osquery.result.action": "added", @@ -1320,13 +1613,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24015, "osquery.result.action": "added", @@ -1347,13 +1646,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24505, "osquery.result.action": "added", @@ -1374,13 +1679,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24991, "osquery.result.action": "added", @@ -1401,13 +1712,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25483, "osquery.result.action": "added", @@ -1428,13 +1745,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25970, "osquery.result.action": "added", @@ -1455,13 +1778,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26459, "osquery.result.action": "added", @@ -1482,13 +1811,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26951, "osquery.result.action": "added", @@ -1509,13 +1844,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27441, "osquery.result.action": "added", @@ -1536,13 +1877,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T14:51:55.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27932, "osquery.result.action": "added", @@ -1563,13 +1910,31 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "rule.name": "pack_osquery-monitoring_schedule", "service.type": "osquery" }, { "@timestamp": "2018-01-08T17:06:29.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.accessed": "2018-01-08T17:06:06.000Z", + "file.created": "2018-01-08T17:06:01.000Z", + "file.directory": "/tmp/.font-unix", + "file.gid": "0", + "file.inode": "256622", + "file.mode": "0644", + "file.mtime": "2018-01-08T17:06:01.000Z", + "file.name": ".cinik", + "file.path": "/tmp/.font-unix/.cinik", + "file.size": "0", + "file.type": "regular", + "file.uid": "0", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 28420, "osquery.result.action": "added", @@ -1598,13 +1963,31 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_slapper_installed", "osquery.result.unix_time": "1515431189", + "rule.name": "pack_ossec-rootkit_slapper_installed", "service.type": "osquery" }, { "@timestamp": "2018-01-08T17:19:48.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.accessed": "2018-01-08T17:19:03.000Z", + "file.created": "2018-01-08T17:19:03.000Z", + "file.directory": "/usr/bin", + "file.gid": "0", + "file.inode": "1919", + "file.mode": "0644", + "file.mtime": "2018-01-08T17:19:03.000Z", + "file.name": "adore", + "file.path": "/usr/bin/adore", + "file.size": "0", + "file.type": "regular", + "file.uid": "0", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29019, "osquery.result.action": "added", @@ -1633,6 +2016,7 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_adore_worm", "osquery.result.unix_time": "1515431988", + "rule.name": "pack_ossec-rootkit_adore_worm", "service.type": "osquery" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json index 040e01e6406..7b7a06ee846 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -1,9 +1,14 @@ [ { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 0, "osquery.result.action": "added", @@ -16,13 +21,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "org.python.python.app", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 333, "osquery.result.action": "added", @@ -35,13 +47,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.ruby", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 659, "osquery.result.action": "added", @@ -54,13 +73,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.a2p", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 984, "osquery.result.action": "added", @@ -73,13 +99,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.javajdk16.cmd", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 1319, "osquery.result.action": "added", @@ -92,13 +125,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.php", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 1644, "osquery.result.action": "added", @@ -111,13 +151,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.nc", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 1968, "osquery.result.action": "added", @@ -130,13 +177,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", + "process.name": "com.apple.ksh", + "rule.name": "pack_it-compliance_alf_explicit_auths", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 2293, "osquery.result.action": "added", @@ -151,13 +205,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "httpd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 2649, "osquery.result.action": "added", @@ -172,13 +233,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "cupsd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 3000, "osquery.result.action": "added", @@ -193,13 +261,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "AEServer", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 3358, "osquery.result.action": "added", @@ -214,13 +289,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "ftpd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 3703, "osquery.result.action": "added", @@ -235,13 +317,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "AppleFileServer", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 4070, "osquery.result.action": "added", @@ -256,13 +345,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "sshd-keygen-wrapper", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 4438, "osquery.result.action": "added", @@ -277,13 +373,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "smbd", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 4786, "osquery.result.action": "added", @@ -298,13 +401,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "AppleVNCServer", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:50.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 5151, "osquery.result.action": "added", @@ -319,13 +429,25 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", + "process.name": "ODSAgent", + "rule.name": "pack_it-compliance_alf_services", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "webextension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 5498, "osquery.result.action": "added", @@ -359,13 +481,25 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", - "service.type": "osquery" + "rule.name": "pack_it-compliance_firefox_addons", + "service.type": "osquery", + "url.full": "https://addons.cdn.mozilla.net/user-media/addons/8542/lastpass_password_manager-4.2.3.20-an+fx.xpi?filehash=sha256%3Acb837b4d738d51fac1d4361b7ac50cac1fc2828c2848057f10f88220aff77380" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 6464, "osquery.result.action": "added", @@ -399,13 +533,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 7269, "osquery.result.action": "added", @@ -439,13 +584,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 8065, "osquery.result.action": "added", @@ -479,13 +635,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 8855, "osquery.result.action": "added", @@ -519,13 +686,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 9609, "osquery.result.action": "added", @@ -559,13 +737,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 10354, "osquery.result.action": "added", @@ -599,13 +788,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 11165, "osquery.result.action": "added", @@ -639,13 +839,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 11940, "osquery.result.action": "added", @@ -679,13 +890,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 12829, "osquery.result.action": "added", @@ -719,13 +941,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 13596, "osquery.result.action": "added", @@ -759,13 +992,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "theme", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 14348, "osquery.result.action": "added", @@ -799,13 +1043,24 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.directory": "/Users/tsg", + "file.gid": "20", + "file.path": "", + "file.type": "extension", + "file.uid": "501", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 15100, "osquery.result.action": "added", @@ -839,13 +1094,21 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", - "service.type": "osquery" + "rule.name": "pack_it-compliance_firefox_addons", + "service.type": "osquery", + "url.full": "file:///var/folders/rl/ps6sz7995lq3kqz5v9bmwjlh0000gn/T/tmpaddon" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/ansible/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 16011, "osquery.result.action": "added", @@ -860,13 +1123,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/asio/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 16389, "osquery.result.action": "added", @@ -881,13 +1151,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/augeas/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 16760, "osquery.result.action": "added", @@ -902,13 +1179,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/awscli/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 17132, "osquery.result.action": "added", @@ -923,13 +1207,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/boost/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 17507, "osquery.result.action": "added", @@ -944,13 +1235,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/elasticsearch/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 17878, "osquery.result.action": "added", @@ -965,13 +1263,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/filebeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 18264, "osquery.result.action": "added", @@ -986,13 +1291,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/fontconfig/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 18640, "osquery.result.action": "added", @@ -1007,13 +1319,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/freetype/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 19021, "osquery.result.action": "added", @@ -1028,13 +1347,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gd/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 19397, "osquery.result.action": "added", @@ -1049,13 +1375,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gdbm/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 19761, "osquery.result.action": "added", @@ -1070,13 +1403,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gettext/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 20128, "osquery.result.action": "added", @@ -1091,13 +1431,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gflags/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 20505, "osquery.result.action": "added", @@ -1112,13 +1459,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/git-crypt/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 20877, "osquery.result.action": "added", @@ -1133,13 +1487,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/glog/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 21255, "osquery.result.action": "added", @@ -1154,13 +1515,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/go/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 21625, "osquery.result.action": "added", @@ -1175,13 +1543,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/go@1.8/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 21989, "osquery.result.action": "added", @@ -1196,13 +1571,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/gradle/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 22361, "osquery.result.action": "added", @@ -1217,13 +1599,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/graphviz/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 22731, "osquery.result.action": "added", @@ -1238,13 +1627,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/heartbeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 23108, "osquery.result.action": "added", @@ -1259,13 +1655,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/heartbeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 23486, "osquery.result.action": "added", @@ -1280,13 +1683,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/icu4c/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 23864, "osquery.result.action": "added", @@ -1301,13 +1711,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/jemalloc/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 24235, "osquery.result.action": "added", @@ -1322,13 +1739,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/jpeg/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 24611, "osquery.result.action": "added", @@ -1343,13 +1767,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/jq/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 24976, "osquery.result.action": "added", @@ -1364,13 +1795,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libarchive/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 25340, "osquery.result.action": "added", @@ -1385,13 +1823,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libevent/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 25720, "osquery.result.action": "added", @@ -1406,13 +1851,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libmagic/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 26096, "osquery.result.action": "added", @@ -1427,13 +1879,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libpng/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 26471, "osquery.result.action": "added", @@ -1448,13 +1907,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/librdkafka/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 26844, "osquery.result.action": "added", @@ -1469,13 +1935,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libtermkey/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 27225, "osquery.result.action": "added", @@ -1490,13 +1963,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libtiff/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 27604, "osquery.result.action": "added", @@ -1511,13 +1991,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libtool/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 27980, "osquery.result.action": "added", @@ -1532,13 +2019,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libuv/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 28356, "osquery.result.action": "added", @@ -1553,13 +2047,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libvterm/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 28727, "osquery.result.action": "added", @@ -1574,13 +2075,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/libyaml/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 29101, "osquery.result.action": "added", @@ -1595,13 +2103,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/lldpd/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 29475, "osquery.result.action": "added", @@ -1616,13 +2131,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/lz4/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 29845, "osquery.result.action": "added", @@ -1637,13 +2159,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/lzlib/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 30211, "osquery.result.action": "added", @@ -1658,13 +2187,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/metricbeat/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 30579, "osquery.result.action": "added", @@ -1679,13 +2215,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/msgpack/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 30959, "osquery.result.action": "added", @@ -1700,13 +2243,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/neovim/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 31333, "osquery.result.action": "added", @@ -1721,13 +2271,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/nginx/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 31707, "osquery.result.action": "added", @@ -1742,13 +2299,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/node/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 32078, "osquery.result.action": "added", @@ -1763,13 +2327,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/nvm/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 32446, "osquery.result.action": "added", @@ -1784,13 +2355,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/oniguruma/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 32813, "osquery.result.action": "added", @@ -1805,13 +2383,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/openssl/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 33191, "osquery.result.action": "added", @@ -1826,13 +2411,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/openssl/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 33566, "osquery.result.action": "added", @@ -1847,13 +2439,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/openssl@1.1/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 33941, "osquery.result.action": "added", @@ -1868,13 +2467,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/osquery/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 34324, "osquery.result.action": "added", @@ -1889,13 +2495,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/pcre/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 34699, "osquery.result.action": "added", @@ -1910,13 +2523,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/perl/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 35066, "osquery.result.action": "added", @@ -1931,13 +2551,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/python/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 35435, "osquery.result.action": "added", @@ -1952,13 +2579,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/rapidjson/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 35810, "osquery.result.action": "added", @@ -1973,13 +2607,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/readline/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 36188, "osquery.result.action": "added", @@ -1994,13 +2635,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/redis/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 36566, "osquery.result.action": "added", @@ -2015,13 +2663,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/rocksdb/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 36936, "osquery.result.action": "added", @@ -2036,13 +2691,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/ruby/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 37310, "osquery.result.action": "added", @@ -2057,13 +2719,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/sleuthkit/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 37680, "osquery.result.action": "added", @@ -2078,13 +2747,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/snappy/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 38058, "osquery.result.action": "added", @@ -2099,13 +2775,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/sqlite/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 38430, "osquery.result.action": "added", @@ -2120,13 +2803,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/telnet/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 38803, "osquery.result.action": "added", @@ -2141,13 +2831,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/the_silver_searcher/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 39177, "osquery.result.action": "added", @@ -2162,13 +2859,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/tree/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 39575, "osquery.result.action": "added", @@ -2183,13 +2887,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/unibilium/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 39943, "osquery.result.action": "added", @@ -2204,13 +2915,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/vim/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 40321, "osquery.result.action": "added", @@ -2225,13 +2943,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/webp/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 40690, "osquery.result.action": "added", @@ -2246,13 +2971,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/xz/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 41060, "osquery.result.action": "added", @@ -2267,13 +2999,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/yara/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 41424, "osquery.result.action": "added", @@ -2288,13 +3027,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/zsh/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 41792, "osquery.result.action": "added", @@ -2309,13 +3055,20 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" }, { "@timestamp": "2017-12-28T14:39:51.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/usr/local/Cellar/zstd/", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 42158, "osquery.result.action": "added", @@ -2330,6 +3083,7 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "rule.name": "pack_it-compliance_homebrew_packages", "service.type": "osquery" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json index ae42a05155c..5e98a6bc7c0 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -1,9 +1,14 @@ [ { "@timestamp": "2017-12-07T12:21:20.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 0, "osquery.result.action": "added", @@ -21,13 +26,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "system_info", "osquery.result.unix_time": "1512649280", + "rule.name": "system_info", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "73728", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 443, "osquery.result.action": "added", @@ -44,13 +56,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 822, "osquery.result.action": "added", @@ -67,13 +86,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "974848", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1203, "osquery.result.action": "added", @@ -90,13 +116,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1583, "osquery.result.action": "added", @@ -113,13 +146,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 1965, "osquery.result.action": "added", @@ -136,13 +176,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2346, "osquery.result.action": "added", @@ -159,13 +206,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 2727, "osquery.result.action": "added", @@ -182,13 +236,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3113, "osquery.result.action": "added", @@ -205,13 +266,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "286720", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3498, "osquery.result.action": "added", @@ -228,13 +296,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "32768", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 3889, "osquery.result.action": "added", @@ -251,13 +326,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4275, "osquery.result.action": "added", @@ -274,13 +356,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 4656, "osquery.result.action": "added", @@ -297,13 +386,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5054, "osquery.result.action": "added", @@ -320,13 +416,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5437, "osquery.result.action": "added", @@ -343,13 +446,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "45056", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 5826, "osquery.result.action": "added", @@ -366,13 +476,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "45056", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6213, "osquery.result.action": "added", @@ -389,13 +506,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "36864", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6600, "osquery.result.action": "added", @@ -412,13 +536,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 6993, "osquery.result.action": "added", @@ -435,13 +566,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "106496", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7385, "osquery.result.action": "added", @@ -458,13 +596,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 7808, "osquery.result.action": "added", @@ -481,13 +626,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8205, "osquery.result.action": "added", @@ -504,13 +656,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "24576", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8590, "osquery.result.action": "added", @@ -527,13 +686,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "53248", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 8986, "osquery.result.action": "added", @@ -550,13 +716,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "98304", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9399, "osquery.result.action": "added", @@ -573,13 +746,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 9820, "osquery.result.action": "added", @@ -596,13 +776,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "991232", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10203, "osquery.result.action": "added", @@ -619,13 +806,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "49152", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10585, "osquery.result.action": "added", @@ -642,13 +836,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "110592", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 10967, "osquery.result.action": "added", @@ -665,13 +866,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11351, "osquery.result.action": "added", @@ -688,13 +896,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 11750, "osquery.result.action": "added", @@ -711,13 +926,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12162, "osquery.result.action": "added", @@ -734,13 +956,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12570, "osquery.result.action": "added", @@ -757,13 +986,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 12988, "osquery.result.action": "added", @@ -780,13 +1016,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "24576", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13428, "osquery.result.action": "added", @@ -803,13 +1046,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "102400", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 13821, "osquery.result.action": "added", @@ -826,13 +1076,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14245, "osquery.result.action": "added", @@ -849,13 +1106,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "36864", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 14640, "osquery.result.action": "added", @@ -872,13 +1136,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15021, "osquery.result.action": "added", @@ -895,13 +1166,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15402, "osquery.result.action": "added", @@ -918,13 +1196,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 15787, "osquery.result.action": "added", @@ -941,13 +1226,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16169, "osquery.result.action": "added", @@ -964,13 +1256,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16561, "osquery.result.action": "added", @@ -987,13 +1286,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 16949, "osquery.result.action": "added", @@ -1010,13 +1316,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "167936", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17344, "osquery.result.action": "added", @@ -1033,13 +1346,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 17732, "osquery.result.action": "added", @@ -1056,13 +1376,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18128, "osquery.result.action": "added", @@ -1079,13 +1406,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18517, "osquery.result.action": "added", @@ -1102,13 +1436,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 18903, "osquery.result.action": "added", @@ -1125,13 +1466,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "16384", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19300, "osquery.result.action": "added", @@ -1148,13 +1496,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "24576", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 19697, "osquery.result.action": "added", @@ -1171,13 +1526,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "32768", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20079, "osquery.result.action": "added", @@ -1194,13 +1556,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "40960", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20478, "osquery.result.action": "added", @@ -1217,13 +1586,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "20480", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 20867, "osquery.result.action": "added", @@ -1240,13 +1616,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "131072", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21291, "osquery.result.action": "added", @@ -1263,13 +1646,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "102400", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 21675, "osquery.result.action": "added", @@ -1286,13 +1676,20 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:15.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.size": "135168", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22073, "osquery.result.action": "added", @@ -1309,13 +1706,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "rule.name": "pack_it-compliance_kernel_modules", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22455, "osquery.result.action": "added", @@ -1333,13 +1738,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 22826, "osquery.result.action": "added", @@ -1357,13 +1770,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23234, "osquery.result.action": "added", @@ -1381,13 +1802,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 23627, "osquery.result.action": "added", @@ -1405,13 +1834,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24000, "osquery.result.action": "added", @@ -1429,13 +1866,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24373, "osquery.result.action": "added", @@ -1453,13 +1898,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 24746, "osquery.result.action": "added", @@ -1477,13 +1930,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25119, "osquery.result.action": "added", @@ -1501,13 +1962,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25492, "osquery.result.action": "added", @@ -1525,13 +1994,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 25865, "osquery.result.action": "added", @@ -1549,13 +2026,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26238, "osquery.result.action": "added", @@ -1573,13 +2058,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 26611, "osquery.result.action": "added", @@ -1600,13 +2091,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_os_version", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:18.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27065, "osquery.result.action": "added", @@ -1643,13 +2140,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669438", + "rule.name": "pack_it-compliance_osquery_info", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 27975, "osquery.result.action": "added", @@ -1667,13 +2172,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 28346, "osquery.result.action": "added", @@ -1691,13 +2204,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 28754, "osquery.result.action": "added", @@ -1715,13 +2236,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29147, "osquery.result.action": "added", @@ -1739,13 +2268,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29520, "osquery.result.action": "added", @@ -1763,13 +2300,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 29893, "osquery.result.action": "added", @@ -1787,13 +2332,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 30266, "osquery.result.action": "added", @@ -1811,13 +2364,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 30639, "osquery.result.action": "added", @@ -1835,13 +2396,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 31012, "osquery.result.action": "added", @@ -1859,13 +2428,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 31385, "osquery.result.action": "added", @@ -1883,13 +2460,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.type": "", + "file.uid": "", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 31758, "osquery.result.action": "added", @@ -1907,13 +2492,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_disk_encryption", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 32131, "osquery.result.action": "added", @@ -1934,13 +2525,19 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_os_version", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:19.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 32585, "osquery.result.action": "added", @@ -1977,13 +2574,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669439", + "rule.name": "pack_it-compliance_osquery_info", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys", + "file.type": "sysfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 33499, "osquery.result.action": "added", @@ -2006,13 +2611,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/proc", + "file.type": "proc", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 33999, "osquery.result.action": "added", @@ -2035,13 +2648,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/dev", + "file.type": "devtmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 34499, "osquery.result.action": "added", @@ -2064,13 +2685,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/dev/pts", + "file.type": "devpts", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 35051, "osquery.result.action": "added", @@ -2093,13 +2722,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/run", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 35581, "osquery.result.action": "added", @@ -2122,13 +2759,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/", + "file.type": "ext4", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 36119, "osquery.result.action": "added", @@ -2151,13 +2796,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/kernel/security", + "file.type": "securityfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 36650, "osquery.result.action": "added", @@ -2180,13 +2833,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/dev/shm", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 37183, "osquery.result.action": "added", @@ -2209,13 +2870,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/run/lock", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 37697, "osquery.result.action": "added", @@ -2238,13 +2907,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup", + "file.type": "tmpfs", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 38233, "osquery.result.action": "added", @@ -2267,13 +2944,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/systemd", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 38770, "osquery.result.action": "added", @@ -2296,13 +2981,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/pstore", + "file.type": "pstore", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 39365, "osquery.result.action": "added", @@ -2325,13 +3018,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/cpu,cpuacct", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 39880, "osquery.result.action": "added", @@ -2354,13 +3055,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/perf_event", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 40420, "osquery.result.action": "added", @@ -2383,13 +3092,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/pids", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 40958, "osquery.result.action": "added", @@ -2412,13 +3129,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/cpuset", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 41484, "osquery.result.action": "added", @@ -2441,13 +3166,21 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" }, { "@timestamp": "2017-12-07T17:57:21.000Z", + "event.action": "added", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/sys/fs/cgroup/blkio", + "file.type": "cgroup", "fileset.name": "result", + "host.hostname": "ubuntu-xenial", + "host.id": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", "input.type": "log", "log.offset": 42014, "osquery.result.action": "added", @@ -2470,6 +3203,7 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index f529f0d18ce..1051a6d64a8 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -1,9 +1,16 @@ [ { "@timestamp": "2017-12-28T14:40:08.000Z", + "event.action": "removed", "event.dataset": "osquery.result", + "event.kind": "event", "event.module": "osquery", + "event.type": "info", + "file.path": "/private/var/vm", + "file.type": "apfs", "fileset.name": "result", + "host.hostname": "192-168-0-4.rdsnet.ro", + "host.id": "4AB2906D-5516-5794-AF54-86D1D7F533F3", "input.type": "log", "log.offset": 0, "osquery.result.action": "removed", @@ -26,6 +33,7 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008", + "rule.name": "pack_it-compliance_mounts", "service.type": "osquery" } ] \ No newline at end of file